[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Olle E. Johansson oej at edvina.net
Sat Sep 1 09:27:29 CDT 2012 

1 sep 2012 kl. 12:30 skrev Tzafrir Cohen <tzafrir.cohen at xorcom.com>:

> On Thu, Aug 30, 2012 at 03:45:18PM -0500, Asterisk Security Team wrote:
> 
>>                 Unfortunately, the approach of inspecting fields in the      
>>                 Originate action against known applications/functions has a  
>>                 significant flaw. The predefined set of values can be        
>>                 bypassed by creative use of the Originate action or by       
>>                 certain dialplan configurations, which is beyond the         
>>                 ability of Asterisk to analyze at run-time. Attempting to    
>>                 work around these scenarios would result in severely         
>>                 restricting the applications or functions and prevent their  
>>                 usage for legitimate means. As such, any additional          
>>                 security vulnerabilities, where an application/function      
>>                 that would normally require the "system" class               
>>                 authorization can be executed by users with the "originate"  
>>                 class authorization, will not be addressed. Instead, the     
>>                 README-SERIOUSLY.bestpractices.txt file has been updated to  
>>                 reflect that the AMI Originate action can result in          
>>                 commands requiring the "system" class authorization to be    
>>                 executed. Proper system configuration can limit the impact   
>>                 of such scenarios.                                           
> 
> I believe this means that the 'originate' permission is broken: it can't
> guarantee anything. The thing is that as long as a user can create an
> Asterisk dialplan, there's really no good way of properly containing
> that user.
> 
> So maybe this means that the 'originate' permission should not grant
> permission to the 'Application' form of originating a call? 'originate'
> should be a simple method of creating a call to an existing context.
> 
> Q: But it breaks existing systems!
> 
> A: The fact that 'originate' does not protect you from full access
>   breaks systems. If you don't want the limited form, just give the
>   user the 'system' permission and be done with it. Heck, chances are
>   you already do :-( .
> 
> Alternatively: maybe nobody uses this permission and it should be
> deprecated / removed?
> 
Just to limit originate a bit more I have a branch with a context= definition
for manager originate and redirect, so you can limit the manager account
from reaching all of your dialplan. 

That's a small step in the right direction. It's been on subversion for a long
time. Don't remember if it's been on reviewboard, but this might be a good
time to upload it.

/O

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2307 bytes
Desc: not available
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120901/07a0b429/attachment.bin>

More information about the asterisk-dev mailing list