[test-results] [Bamboo] Asterisk Testing > Asterisk Trunk > #625 has FAILED (24 tests failed, no failures were new). Change made by Matthew Jordan.
Bamboo
bamboo at asterisk.org
Fri Aug 31 02:50:04 CDT 2012
-----------------------------------------------------------------------
Asterisk Testing > Asterisk Trunk > #625 failed.
-----------------------------------------------------------------------
Code has been updated by Matthew Jordan.
24/287 tests failed, no failures were new.
http://bamboo.asterisk.org/browse/TESTING-ASTERISKTRUNK-625/
--------------
Failing Jobs
--------------
- Asterisk CentOS 6 64-Bit (CentOS 6): 24 of 287 tests failed.
--------------
Code Changes
--------------
Matthew Jordan (372001):
>AST-2012-012: Resolve AMI User Unauthorized Shell Access through ExternalIVR
>
>The AMI Originate action can allow a remote user to specify information that can
>be used to execute shell commands on the system hosting Asterisk. This can
>result in an unwanted escalation of permissions, as the Originate action, which
>requires the "originate" class authorization, can be used to perform actions
>that would typically require the "system" class authorization. Previous attempts
>to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
>to do so by inspecting the names of applications and functions passed in with
>the Originate action and, if those applications/functions matched a predefined
>set of values, rejecting the command if the user lacked the "system" class
>authorization. As reported by IBM X-Force Research, the "ExternalIVR"
>application is not listed in the predefined set of values. The solution for
>this particular vulnerability is to include the "ExternalIVR" application in the
>set of defined applications/functions that require "system" class authorization.
>
>Unfortunately, the approach of inspecting fields in the Originate action against
>known applications/functions has a significant flaw. The predefined set of
>values can be bypassed by creative use of the Originate action or by certain
>dialplan configurations, which is beyond the ability of Asterisk to analyze at
>run-time. Attempting to work around these scenarios would result in severely
>restricting the applications or functions and prevent their usage for legitimate
>means. As such, any additional security vulnerabilities, where an
>application/function that would normally require the "system" class
>authorization can be executed by users with the "originate" class authorization,
>will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
>been updated to reflect that the AMI Originate action can result in commands
>requiring the "system" class authorization to be executed. Proper system
>configuration can limit the impact of such scenarios.
>
>(closes issue ASTERISK-20132)
>Reported by: Zubair Ashraf of IBM X-Force Research
>........
>
>Merged revisions 371998 from http://svn.asterisk.org/svn/asterisk/branches/1.8
>........
>
>Merged revisions 371999 from http://svn.asterisk.org/svn/asterisk/branches/10
>........
>
>Merged revisions 372000 from http://svn.asterisk.org/svn/asterisk/branches/11
>
--------------
Tests
--------------
Existing Test Failures (24)
- AsteriskTestSuite: S/fastagi/control-stream-file
- AsteriskTestSuite: S/fastagi/database
- AsteriskTestSuite: S/fastagi/connect
- AsteriskTestSuite: S/fastagi/get-data
- AsteriskTestSuite: S/fastagi/say-digits
- AsteriskTestSuite: S/fastagi/stream-file
- AsteriskTestSuite: S/fastagi/record-file
- AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee with reinvite
- AsteriskTestSuite: S/channels/ s i p/secure bridge media
- AsteriskTestSuite: S/apps/chanspy/chanspy barge
- AsteriskTestSuite: S/apps/chanspy/chanspy w mixmonitor
- AsteriskTestSuite: S/channels/ s i p/sip blind transfer/callee refer only
- AsteriskTestSuite: S/fastagi/say-date
- AsteriskTestSuite: S/channels/ s i p/noload res srtp
- AsteriskTestSuite: S/fastagi/say-number
- AsteriskTestSuite: S/fastagi/channel-status
- AsteriskTestSuite: S/channels/ s i p/noload res srtp attempt srtp
- AsteriskTestSuite: S/channels/ s i p/sip srtp
- AsteriskTestSuite: S/fastagi/hangup
- AsteriskTestSuite: S/fastagi/execute
- AsteriskTestSuite: S/fastagi/say-time
- AsteriskTestSuite: S/fastagi/say-datetime
- AsteriskTestSuite: S/fastagi/say-phonetic
- AsteriskTestSuite: S/fastagi/say-alpha
--
This message is automatically generated by Atlassian Bamboo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/test-results/attachments/20120831/4e19ccee/attachment-0001.htm>
More information about the Test-results
mailing list