[svn-commits] mjordan: branch certified-1.8.15 r372052 - in /certified/branches/1.8.15: ./ ...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Thu Aug 30 13:48:56 CDT 2012 

Author: mjordan
Date: Thu Aug 30 13:48:52 2012
New Revision: 372052

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=372052
Log:
AST-2012-012: Resolve AMI User Unauthorized Shell Access through ExternalIVR

The AMI Originate action can allow a remote user to specify information that can
be used to execute shell commands on the system hosting Asterisk. This can
result in an unwanted escalation of permissions, as the Originate action, which    
requires the "originate" class authorization, can be used to perform actions
that would typically require the "system" class authorization. Previous attempts
to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
to do so by inspecting the names of applications and functions passed in with
the Originate action and, if those applications/functions matched a predefined
set of values, rejecting the command if the user lacked the "system" class
authorization. As reported by IBM X-Force Research, the "ExternalIVR"
application is not listed in the predefined set of values. The solution for     
this particular vulnerability is to include the "ExternalIVR" application in the
set of defined applications/functions that require "system" class authorization.             
          
Unfortunately, the approach of inspecting fields in the Originate action against
known applications/functions has a significant flaw. The predefined set of
values can be bypassed by creative use of the Originate action or by certain
dialplan configurations, which is beyond the ability of Asterisk to analyze at
run-time. Attempting to work around these scenarios would result in severely         
restricting the applications or functions and prevent their usage for legitimate
means. As such, any additional security vulnerabilities, where an
application/function that would normally require the "system" class
authorization can be executed by users with the "originate" class authorization,
will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
been updated to reflect that the AMI Originate action can result in commands
requiring the "system" class authorization to be executed. Proper system
configuration can limit the impact of such scenarios.         
          
(closes issue ASTERISK-20132)
Reported by: Zubair Ashraf of IBM X-Force Research

AST-2012-013: Resolve ACL rules being ignored during calls by some IAX2 peers

When an IAX2 call is made using the credentials of a peer defined in a dynamic
Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
not applied to the call attempt. This allows for a remote attacker who is aware
of a peer's credentials to bypass the ACL rules set for that peer.

This patch ensures that the ACLs are applied for all peers, regardless of their
storage mechanism.

(closes issue ASTERISK-20186)
Reported by: Alan Frisch
Tested by: mjordan, Alan Frisch

Modified:
    certified/branches/1.8.15/   (props changed)
    certified/branches/1.8.15/README-SERIOUSLY.bestpractices.txt
    certified/branches/1.8.15/channels/chan_iax2.c
    certified/branches/1.8.15/main/manager.c

Propchange: certified/branches/1.8.15/
------------------------------------------------------------------------------
--- branch-1.8-merged (original)
+++ branch-1.8-merged Thu Aug 30 13:48:52 2012
@@ -1,1 +1,1 @@
-/branches/1.8:1-369921,370769,371141,371201,371393,371436,371747,371782,371787
+/branches/1.8:1-369921,370769,371141,371201,371393,371436,371747,371782,371787,371998-372015

Modified: certified/branches/1.8.15/README-SERIOUSLY.bestpractices.txt
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/README-SERIOUSLY.bestpractices.txt?view=diff&rev=372052&r1=372051&r2=372052
==============================================================================
--- certified/branches/1.8.15/README-SERIOUSLY.bestpractices.txt (original)
+++ certified/branches/1.8.15/README-SERIOUSLY.bestpractices.txt Thu Aug 30 13:48:52 2012
@@ -22,6 +22,9 @@
 
 * Reducing Pattern Match Typos: 
         Using the 'same' prefix, or using Goto()
+
+* Manager Class Authorizations:
+        Recognizing potential issues with certain classes of authorization
 
 ----------------
 Additional Links
@@ -293,3 +296,51 @@
 exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
 same => n,Playback(silence/1&num-not-in-db)
 same => n,Hangup()
+
+
+============================
+Manager Class Authorizations
+============================
+
+Manager accounts have associated class authorizations that define what actions
+and events that account can execute/receive.  In order to run Asterisk commands
+or dialplan applications that affect the system Asterisk executes on, the
+"system" class authorization should be set on the account.
+
+However, Manager commands that originate new calls into the Asterisk dialplan
+have the potential to alter or affect the system as well, even though the
+class authorization for origination commands is "originate".  Take, for example,
+the Originate manager command:
+
+Action: Originate
+Channel: SIP/foo
+Exten: s
+Context: default
+Priority: 1
+Application: System
+Data: echo hello world!
+
+This manager command will attempt to execute an Asterisk application, System,
+which is normally associated with the "system" class authorication.  While some
+checks have been put into Asterisk to take this into account, certain dialplan
+configurations and/or clever manipulation of the Originate manager action can
+circumvent these checks.  For example, take the following dialplan:
+
+exten => s,1,Verbose(Incoming call)
+same => n,MixMonitor(foo.wav,,${EXEC_COMMAND})
+same => n,Dial(SIP/bar)
+same => n,Hangup()
+
+Whatever has been defined in the variable EXEC_COMMAND will be executed after
+MixMonitor has finished recording the call.  The dialplan writer may have
+intended that this variable to be set by some other location in the dialplan;
+however, the Manager action Originate allows for channel variables to be set by
+the account initiating the new call.  This could allow the Originate action to
+execute some command on the system by setting the EXEC_COMMAND dialplan variable
+in the Variable: header.
+
+In general, you should treat the Manager class authorization "originate" the
+same as the class authorization "system".  Good system configuration, such as
+not running Asterisk as root, can prevent serious problems from arising when
+allowing external connections to originate calls into Asterisk.
+

Modified: certified/branches/1.8.15/channels/chan_iax2.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/channels/chan_iax2.c?view=diff&rev=372052&r1=372051&r2=372052
==============================================================================
--- certified/branches/1.8.15/channels/chan_iax2.c (original)
+++ certified/branches/1.8.15/channels/chan_iax2.c Thu Aug 30 13:48:52 2012
@@ -7618,10 +7618,10 @@
 	i = ao2_iterator_init(users, 0);
 	while ((user = ao2_iterator_next(&i))) {
 		if ((ast_strlen_zero(iaxs[callno]->username) ||				/* No username specified */
-			!strcmp(iaxs[callno]->username, user->name))	/* Or this username specified */
-			&& ast_apply_ha(user->ha, &addr) 	/* Access is permitted from this IP */
+			!strcmp(iaxs[callno]->username, user->name))			/* Or this username specified */
+			&& ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW		/* Access is permitted from this IP */
 			&& (ast_strlen_zero(iaxs[callno]->context) ||			/* No context specified */
-			     apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
+				apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
 			if (!ast_strlen_zero(iaxs[callno]->username)) {
 				/* Exact match, stop right now. */
 				if (best)
@@ -7677,8 +7677,9 @@
 	user = best;
 	if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
 		user = realtime_user(iaxs[callno]->username, sin);
-		if (user && !ast_strlen_zero(iaxs[callno]->context) &&			/* No context specified */
-		    !apply_context(user->contexts, iaxs[callno]->context)) {		/* Context is permitted */
+		if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY		/* Access is denied from this IP */
+			|| (!ast_strlen_zero(iaxs[callno]->context) &&					/* No context specified */
+				!apply_context(user->contexts, iaxs[callno]->context)))) {	/* Context is permitted */
 			user = user_unref(user);
 		}
 	}

Modified: certified/branches/1.8.15/main/manager.c
URL: http://svnview.digium.com/svn/asterisk/certified/branches/1.8.15/main/manager.c?view=diff&rev=372052&r1=372051&r2=372052
==============================================================================
--- certified/branches/1.8.15/main/manager.c (original)
+++ certified/branches/1.8.15/main/manager.c Thu Aug 30 13:48:52 2012
@@ -4085,6 +4085,7 @@
 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
 				                                     EAGI(/bin/rm,-rf /)       */
 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
+				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
 				)) {

More information about the svn-commits mailing list