[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sat Sep 1 05:30:11 CDT 2012 

On Thu, Aug 30, 2012 at 03:45:18PM -0500, Asterisk Security Team wrote:

>                  Unfortunately, the approach of inspecting fields in the      
>                  Originate action against known applications/functions has a  
>                  significant flaw. The predefined set of values can be        
>                  bypassed by creative use of the Originate action or by       
>                  certain dialplan configurations, which is beyond the         
>                  ability of Asterisk to analyze at run-time. Attempting to    
>                  work around these scenarios would result in severely         
>                  restricting the applications or functions and prevent their  
>                  usage for legitimate means. As such, any additional          
>                  security vulnerabilities, where an application/function      
>                  that would normally require the "system" class               
>                  authorization can be executed by users with the "originate"  
>                  class authorization, will not be addressed. Instead, the     
>                  README-SERIOUSLY.bestpractices.txt file has been updated to  
>                  reflect that the AMI Originate action can result in          
>                  commands requiring the "system" class authorization to be    
>                  executed. Proper system configuration can limit the impact   
>                  of such scenarios.                                           

I believe this means that the 'originate' permission is broken: it can't
guarantee anything. The thing is that as long as a user can create an
Asterisk dialplan, there's really no good way of properly containing
that user.

So maybe this means that the 'originate' permission should not grant
permission to the 'Application' form of originating a call? 'originate'
should be a simple method of creating a call to an existing context.

Q: But it breaks existing systems!

A: The fact that 'originate' does not protect you from full access
   breaks systems. If you don't want the limited form, just give the
   user the 'system' permission and be done with it. Heck, chances are
   you already do :-( .

Alternatively: maybe nobody uses this permission and it should be
deprecated / removed?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list