[test-results] [Bamboo] Asterisk Testing > Asterisk Trunk > #625 has FAILED (24 tests failed, no failures were new). Change made by Matthew Jordan.

Bamboo bamboo at asterisk.org
Fri Aug 31 02:50:04 CDT 2012


-----------------------------------------------------------------------
Asterisk Testing > Asterisk Trunk > #625 failed.
-----------------------------------------------------------------------
Code has been updated by Matthew Jordan.
24/287 tests failed, no failures were new.

http://bamboo.asterisk.org/browse/TESTING-ASTERISKTRUNK-625/


--------------
Failing Jobs
--------------
  - Asterisk CentOS 6 64-Bit (CentOS 6): 24 of 287 tests failed.



--------------
Code Changes
--------------
Matthew Jordan (372001):

>AST-2012-012: Resolve AMI User Unauthorized Shell Access through ExternalIVR
>
>The AMI Originate action can allow a remote user to specify information that can
>be used to execute shell commands on the system hosting Asterisk. This can
>result in an unwanted escalation of permissions, as the Originate action, which    
>requires the "originate" class authorization, can be used to perform actions
>that would typically require the "system" class authorization. Previous attempts
>to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
>to do so by inspecting the names of applications and functions passed in with
>the Originate action and, if those applications/functions matched a predefined
>set of values, rejecting the command if the user lacked the "system" class
>authorization. As reported by IBM X-Force Research, the "ExternalIVR"
>application is not listed in the predefined set of values. The solution for     
>this particular vulnerability is to include the "ExternalIVR" application in the
>set of defined applications/functions that require "system" class authorization.             
>          
>Unfortunately, the approach of inspecting fields in the Originate action against
>known applications/functions has a significant flaw. The predefined set of
>values can be bypassed by creative use of the Originate action or by certain
>dialplan configurations, which is beyond the ability of Asterisk to analyze at
>run-time. Attempting to work around these scenarios would result in severely         
>restricting the applications or functions and prevent their usage for legitimate
>means. As such, any additional security vulnerabilities, where an
>application/function that would normally require the "system" class
>authorization can be executed by users with the "originate" class authorization,
>will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
>been updated to reflect that the AMI Originate action can result in commands
>requiring the "system" class authorization to be executed. Proper system
>configuration can limit the impact of such scenarios.         
>          
>(closes issue ASTERISK-20132)
>Reported by: Zubair Ashraf of IBM X-Force Research
>........
>
>Merged revisions 371998 from http://svn.asterisk.org/svn/asterisk/branches/1.8
>........
>
>Merged revisions 371999 from http://svn.asterisk.org/svn/asterisk/branches/10
>........
>
>Merged revisions 372000 from http://svn.asterisk.org/svn/asterisk/branches/11
>



--------------
Tests
--------------
Existing Test Failures (24)
   - AsteriskTestSuite: S/fastagi/control-stream-file
   - AsteriskTestSuite: S/fastagi/database
   - AsteriskTestSuite: S/fastagi/connect
   - AsteriskTestSuite: S/fastagi/get-data
   - AsteriskTestSuite: S/fastagi/say-digits
   - AsteriskTestSuite: S/fastagi/stream-file
   - AsteriskTestSuite: S/fastagi/record-file
   - AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee with reinvite
   - AsteriskTestSuite: S/channels/ s i p/secure bridge media
   - AsteriskTestSuite: S/apps/chanspy/chanspy barge
   - AsteriskTestSuite: S/apps/chanspy/chanspy w mixmonitor
   - AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee refer only
   - AsteriskTestSuite: S/fastagi/say-date
   - AsteriskTestSuite: S/channels/ s i p/noload res srtp
   - AsteriskTestSuite: S/fastagi/say-number
   - AsteriskTestSuite: S/fastagi/channel-status
   - AsteriskTestSuite: S/channels/ s i p/noload res srtp attempt srtp
   - AsteriskTestSuite: S/channels/ s i p/sip srtp
   - AsteriskTestSuite: S/fastagi/hangup
   - AsteriskTestSuite: S/fastagi/execute
   - AsteriskTestSuite: S/fastagi/say-time
   - AsteriskTestSuite: S/fastagi/say-datetime
   - AsteriskTestSuite: S/fastagi/say-phonetic
   - AsteriskTestSuite: S/fastagi/say-alpha

--
This message is automatically generated by Atlassian Bamboo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/test-results/attachments/20120831/4e19ccee/attachment-0001.htm>


More information about the Test-results mailing list