[asterisk-dev] AMI 'originate' permission is broken [was: Re: AST-2012-012: Asterisk Manager User Unauthorized Shell Access]

Tilghman Lesher tilghman at meg.abyt.es
Mon Sep 3 19:12:18 CDT 2012 

On Mon, Sep 3, 2012 at 5:30 PM, Matthew  Jordan <mjordan at digium.com> wrote:
>
> ----- Original Message -----
>> From: "Tzafrir Cohen" <tzafrir.cohen at xorcom.com>
>> To: asterisk-dev at lists.digium.com
>> Sent: Monday, September 3, 2012 8:33:34 AM
>> Subject: Re: [asterisk-dev] AMI 'originate' permission is broken [was:        Re:     AST-2012-012: Asterisk Manager User
>> Unauthorized Shell Access]
>>
>> On Sat, Sep 01, 2012 at 07:33:29PM -0500, Matthew  Jordan wrote:
>>
>>
>> If Application is given, the 'originate' permission will not be used.
>> So
>> we don't need to worry about this one.
>
> That is not the current behavior.  You do not need a permission other than the
> originate permission to execute an application.  There is an explicit check
> for certain application names that then requires the manager account to have the
> system permission; however, the point of the README is that this approach does
> not - and cannot - hope to prevent all possible permission authorization
> escalations.
>
> If you change the behavior such that specifying any application requires some
> other class authorization, that would be a major breaking change.
>
>> Olle's suggested fix of limiting a context mitigates that: the
>> context
>> you do expose should not have that.
>>
>
> Playing around with this some this weekend, I found that attempting to use a
> Goto as the application with a specific non-allowed portion of the dialplan
> specified in the Data field caused the channel to automatically hangup, at least
> with the standard Asterisk dialplan.  That may be more of a 'bug' than a
> 'feature', but it at least prevents the scenario I was alluding to.

Not sure why you'd think that.  When you originate with an
application, the channel hangs up when that application exits.  Since
all Goto really does is to set a few channel struct elements, it exits
quickly and the channel hangs up.  For it to do more, it would need to
follow a dialplan.

> There is at least still one way I can think of to cause a permission
> escalation with a limited context.  I would guess that there are more.  As
> discussing specifics on a public mailing list would be a bad idea, if people
> are interested, I can create a restricted JIRA issue to discuss it in further
> depth.

I'm quite interested.  As I said in the other message, this is
critical functionality for a lot of people so just resigning to the
idea that originate needs system permission is not a good solution.

-Tilghman

More information about the asterisk-dev mailing list