[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Matthew Jordan mjordan at digium.com
Mon Sep 3 17:30:23 CDT 2012 

----- Original Message -----
> From: "Tzafrir Cohen" <tzafrir.cohen at xorcom.com>
> To: asterisk-dev at lists.digium.com
> Sent: Monday, September 3, 2012 8:33:34 AM
> Subject: Re: [asterisk-dev] AMI 'originate' permission is broken [was:	Re:	AST-2012-012: Asterisk Manager User
> Unauthorized Shell Access]
> 
> On Sat, Sep 01, 2012 at 07:33:29PM -0500, Matthew  Jordan wrote:
> 
> 
> If Application is given, the 'originate' permission will not be used.
> So
> we don't need to worry about this one.

That is not the current behavior.  You do not need a permission other than the
originate permission to execute an application.  There is an explicit check
for certain application names that then requires the manager account to have the
system permission; however, the point of the README is that this approach does
not - and cannot - hope to prevent all possible permission authorization
escalations.

If you change the behavior such that specifying any application requires some
other class authorization, that would be a major breaking change.
 
> Olle's suggested fix of limiting a context mitigates that: the
> context
> you do expose should not have that.
> 

Playing around with this some this weekend, I found that attempting to use a
Goto as the application with a specific non-allowed portion of the dialplan
specified in the Data field caused the channel to automatically hangup, at least
with the standard Asterisk dialplan.  That may be more of a 'bug' than a
'feature', but it at least prevents the scenario I was alluding to.

There is at least still one way I can think of to cause a permission
escalation with a limited context.  I would guess that there are more.  As
discussing specifics on a public mailing list would be a bad idea, if people
are interested, I can create a restricted JIRA issue to discuss it in further
depth.

--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org

More information about the asterisk-dev mailing list