[asterisk-users] !<command> from Manager

Tzafrir Cohen tzafrir.cohen at xorcom.com
Sat Oct 31 16:23:30 CDT 2009 

On Sat, Oct 31, 2009 at 12:04:18PM -0400, cbulist wrote:
> Hi,
> 
> Is it possible to run a !<command> from Manager connection?

No. You can implement it yourself.

'!' is not sent to the asterisk daemon. Rather, the local client runs a
command.

For instance:

# id -a
uid=0(root) gid=0(root) groups=0(root)

# ps u `cat /var/run/asterisk/asterisk.pid `
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
asterisk  4314  0.0  0.2 698424  5036 ?        Ssl  Oct10  17:53 /usr/sbin/aster

# asterisk -r
Asterisk 1.6.2.0~dfsg~beta4-0.7501, Copyright (C) 1999 - 2009 Digium, Inc. and others.
Created by Mark Spencer <markster at digium.com> Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty'
for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
This package has been modified for the Debian GNU/Linux distribution
Please report all bugs to http://bugs.debian.org/asterisk
=========================================================================
Connected to Asterisk 1.6.2.0~dfsg~beta4-0.7501 currently running on
sweetmorn (pid = 4314)
sweetmorn*CLI> !id -a
uid=0(root) gid=0(root) groups=0(root)


That said, the dialplan application System allows you to do that.
E.g. look for the dialplan snippet that includes the extension called
'executecommand' which is embedded in
http://svn.digium.com/svn/asterisk-gui/branches/2.0/config/js/pbx.js

Needless to say that this opens the door to shell code injection
attacks, such as the one described in
http://www.csnews.com/csn/news/article_display.jsp?vnu_content_id=1004015447

Actually http://en.wikipedia.org/wiki/Code_injection#Shell_injection
will probably be more useful.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list