[asterisk-users] AST-2011-006: Asterisk Manager User Shell Access

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Apr 22 15:45:34 CDT 2011 

On Thu, Apr 21, 2011 at 04:40:39PM -0500, Asterisk Security Team wrote:
>                Asterisk Project Security Advisory - AST-2011-006
> 
>          Product        Asterisk                                              
>          Summary        Asterisk Manager User Shell Access                    
>     Nature of Advisory  Permission Escalation                                 
>       Susceptibility    Remote Authenticated Sessions                         
>          Severity       Minor                                                 
>       Exploits Known    Yes                                                   
>        Reported On      February 10, 2011                                     
>        Reported By      Mark Murawski <markm AT intellasoft DOT net>          
>         Posted On       April 21, 2011                                        
>      Last Updated On    April 21, 2011                                        
>      Advisory Contact   Matthew Nicholson <mnicholson at digium.com>             
>          CVE Name       
> 
>    Description It is possible for a user of the Asterisk Manager Interface to 
>                bypass a security check and execute shell commands when they   
>                should not have that ability. Sending the "Async" header with  
>                the "Application" header during an Originate action, allows    
>                authenticated manager users to execute shell commands. Only    
>                users with the "system" privilege should be able to do this.   
> 
>    Resolution Asterisk now performs the proper access check where appropriate 
>               during the originate manager action.                            

So basically doing some dangerous stuff is only allowed for users with
the 'system' write permissions. Which brings up the interesting
question: are there any such users without such write permission?

IIRC most of the sample I saw included it even before it was actually
meaningful. In fact they all had something of the likes of:

  read = system,call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
  write = system,call,agent,user,config,command,reporting,originate

So here's a mini poll:

Do you have a manager interface user that does not have all the read and
write permissions? If so: how have you managed to do so?

* Reading documentation / source
* An existing sample
* Trial and Error

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list