asterisk users - Apr 2011 - AST-2011-006: Asterisk Manager User Shell Access

Asterisk Project Security Advisory - AST-2011-006

         Product        Asterisk                                              
         Summary        Asterisk Manager User Shell Access                    
    Nature of Advisory  Permission Escalation                                 
      Susceptibility    Remote Authenticated Sessions                         
         Severity       Minor                                                 
      Exploits Known    Yes                                                   
       Reported On      February 10, 2011                                     
       Reported By      Mark Murawski <markm AT intellasoft DOT net>
        Posted On       April 21, 2011                                        
     Last Updated On    April 21, 2011                                        
     Advisory Contact   Matthew Nicholson <mnicholson at digium.com>
         CVE Name       

   Description It is possible for a user of the Asterisk Manager Interface to 
               bypass a security check and execute shell commands when they   
               should not have that ability. Sending the "Async"
header with
               the "Application" header during an Originate action,
allows
               authenticated manager users to execute shell commands. Only    
               users with the "system" privilege should be able to do
this.

   Resolution Asterisk now performs the proper access check where appropriate 
              during the originate manager action.                            

                               Affected Versions
                Product              Release Series 
         Asterisk Open Source            1.4.x      All versions              
         Asterisk Open Source           1.6.1.x     All versions              
         Asterisk Open Source           1.6.2.x     All versions              
         Asterisk Open Source            1.8.x      All versions              
       Asterisk Business Edition         C.x.x      All versions              

                                  Corrected In
              Product                               Release                   
        Asterisk Open Source        1.4.40.1, 1.6.1.25, 1.6.2.17.3, 1.8.3.3   
     Asterisk Business Edition                      C.3.6.4                   

                                    Patches                            
                                   URL                                 Branch 
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.4.diff    1.4    
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.1.diff  1.6.1  
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.6.2.diff  1.6.2  
   http://downloads.asterisk.org/pub/security/AST-2011-006-1.8.diff    1.8    

          Links         

   Asterisk Project Security Advisories are posted at                         
   http://www.asterisk.org/security                                           
                                                                              
   This document may be superseded by later versions; if so, the latest       
   version will be posted at                                                  
   http://downloads.digium.com/pub/security/AST-2011-006.pdf and              
   http://downloads.digium.com/pub/security/AST-2011-006.html                 

                                Revision History
          Date                 Editor                  Revisions Made         
   4/21/11            Matthew Nicholson        Initial version                

               Asterisk Project Security Advisory - AST-2011-006
              Copyright (c) 2011 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

On Thu, Apr 21, 2011 at 04:40:39PM -0500, Asterisk Security Team
wrote:
>                Asterisk Project Security Advisory - AST-2011-006
> 
>          Product        Asterisk
>          Summary        Asterisk Manager User Shell Access
>     Nature of Advisory  Permission Escalation
>       Susceptibility    Remote Authenticated Sessions
>          Severity       Minor
>       Exploits Known    Yes
>        Reported On      February 10, 2011
>        Reported By      Mark Murawski <markm AT intellasoft DOT net>
>         Posted On       April 21, 2011
>      Last Updated On    April 21, 2011
>      Advisory Contact   Matthew Nicholson <mnicholson at digium.com>
>          CVE Name       
> 
>    Description It is possible for a user of the Asterisk Manager Interface
to
>                bypass a security check and execute shell commands when they
>                should not have that ability. Sending the "Async"
header with
>                the "Application" header during an Originate
action, allows
>                authenticated manager users to execute shell commands. Only
>                users with the "system" privilege should be able
to do this.
> 
>    Resolution Asterisk now performs the proper access check where
appropriate
>               during the originate manager action.
So basically doing some dangerous stuff is only allowed for users with
the 'system' write permissions. Which brings up the interesting
question: are there any such users without such write permission?

IIRC most of the sample I saw included it even before it was actually
meaningful. In fact they all had something of the likes of:

  read = system,call,log,verbose,agent,user,config,dtmf,reporting,cdr,dialplan
  write = system,call,agent,user,config,command,reporting,originate

So here's a mini poll:

Do you have a manager interface user that does not have all the read and
write permissions? If so: how have you managed to do so?

* Reading documentation / source
* An existing sample
* Trial and Error

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir