Re: [asterisk-users] AST-2011-006: Asterisk Manager User Shell Access

Fri, 22 Apr 2011 13:45:43 -0700 

On Thu, Apr 21, 2011 at 04:40:39PM -0500, Asterisk Security Team wrote:
>                Asterisk Project Security Advisory - AST-2011-006
> 
>          Product        Asterisk                                              
>          Summary        Asterisk Manager User Shell Access                    
>     Nature of Advisory  Permission Escalation                                 
>       Susceptibility    Remote Authenticated Sessions                         
>          Severity       Minor                                                 
>       Exploits Known    Yes                                                   
>        Reported On      February 10, 2011                                     
>        Reported By      Mark Murawski <markm AT intellasoft DOT net>          
>         Posted On       April 21, 2011                                        
>      Last Updated On    April 21, 2011                                        
>      Advisory Contact   Matthew Nicholson <[email protected]>             
>          CVE Name       
> 
>    Description It is possible for a user of the Asterisk Manager Interface to 
>                bypass a security check and execute shell commands when they   
>                should not have that ability. Sending the "Async" header with  
>                the "Application" header during an Originate action, allows    
>                authenticated manager users to execute shell commands. Only    
>                users with the "system" privilege should be able to do this.   
> 
>    Resolution Asterisk now performs the proper access check where appropriate 
>               during the originate manager action.                            

So basically doing some dangerous stuff is only allowed for users with
the 'system' write permissions. Which brings up the interesting
question: are there any such users without such write permission?

IIRC most of the sample I saw included it even before it was actually
meaningful. In fact they all had something of the likes of:

  read = system,call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
  write = system,call,agent,user,config,command,reporting,originate

So here's a mini poll:

Do you have a manager interface user that does not have all the read and
write permissions? If so: how have you managed to do so?

* Reading documentation / source
* An existing sample
* Trial and Error

-- 
               Tzafrir Cohen
icq#16849755              jabber:[email protected]
+972-50-7952406           mailto:[email protected]
http://www.xorcom.com  iax:[email protected]/tzafrir

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to