[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Tilghman Lesher tilghman at meg.abyt.es
Sun Sep 2 11:57:37 CDT 2012


On Sun, Sep 2, 2012 at 3:16 AM, Olle E. Johansson <oej at edvina.net> wrote:
>
> 2 sep 2012 kl. 02:33 skrev "Matthew  Jordan" <mjordan at digium.com>:
>
>> That would certainly be a step in the right direction, and would help to limit
>> some more common ways of exploiting this problem.  You would have to also scan
>> the application data field to catch malicious dialplan redirections.
>>
>> I have a feeling that this could be exploited even with such a restriction.
>> Without a comprehensive class permission system, there is probably a way that
>> an authenticated user could do something that the dialplan writer did not
>> intend, if they have the ability to create channels.
>
> Well, that's manager. You can run any dialplan function and any application at any
> point in time. Manager is meant to control the pbx and by allowing users access
> through manager, you open up for total control. We can limit in various ways,
> but I don't believe it is ever going to be an end-user API that should be open for normal
> and untrusted users.

The API isn't, but the manager interface is useful for various
desktop-type applications, such as the old gastman interface.  In so
giving a person that interface, you may unintentionally give them the
ability to run arbitrary commands, if they simply use the username and
password provided to the GUI to connect without the GUI.  So while
it's not intended to be used for that purpose, the whole idea of a
separate permission was to try to limit a GUI like this down to only
the set of operations that you'd want a nontechnical user to have.
And one of those is to originate a call, without being able to execute
administrative commands.

I agree that it's problematic, but it's critical that you be able to
make that delineation.  Otherwise, we potentially open up the fact
that EVERY Asterisk installation needs to have a wide open security
hole in order for anyone to have a useful GUI through AMI.  So from a
high level, we NEED the originate permission to be there, and we NEED
it to prevent the user from obtaining system privileges.

As far as passing security permissions along to applications and
functions, that seems like overkill.  We don't need to stop security
holes from poorly written dialplans; that requires education of the
individual administrator, should they need to enable AMI.  But we do
need to prevent security holes that exist despite the best writing of
dialplans.

-Tilghman



More information about the asterisk-dev mailing list