Package: asterisk / 1:1.6.2.9-2+squeeze12

AST-2011-006 Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
From: Matthew Nicholson <mnicholson@digium.com>
Date: Thu, 21 Apr 2011 18:22:19 +0000
Bug: https://issues.asterisk.org/view.php?id=18787
Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=314620
Subject: Check for "system" privilege in the manager interface

This fix adds the missing test (added in later version, though apparently
in a slightly wrong location) for the "system" write permissions in case
a manager user attempts to execute an action that may eventually execute
a shell command.

Note that:
1. In order to explit this one must already gain authenticated access to
   the manager interface with some sort of write access.
2. Asterisk is never run as root in Debian (if you use standard init.d
   script, which slightly reduces the impact of this.
3. Many poorly-written sample manager.conf config files just give any
   manager user all priviliges. There's all to big a chance the manager
   user already has the 'system' write priv (write=system in manager.conf).

See also:
  http://downloads.asterisk.org/pub/security/AST-2011-006.html

--- a/main/manager.c
+++ b/main/manager.c
@@ -2497,6 +2497,25 @@ static int action_originate(struct manse
 		format = 0;
 		ast_parse_allow_disallow(NULL, &format, codecs, 1);
 	}
+	if (!ast_strlen_zero(app)) {
+		/* To run the System application (or anything else that goes to
+		 * shell), you must have the additional System privilege */
+		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
+			&& (
+				strcasestr(app, "system") ||      /* System(rm -rf /)
+				                                     TrySystem(rm -rf /)       */
+				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
+				                                     TryExec(System(rm -rf /)) */
+				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+				                                     EAGI(/bin/rm,-rf /)       */
+				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
+				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+				)) {
+			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
+			return 0;
+		}
+	}
+
 	if (ast_true(async)) {
 		struct fast_originate_helper *fast = ast_calloc(1, sizeof(*fast));
 		if (!fast) {
@@ -2527,21 +2546,6 @@ static int action_originate(struct manse
 			}
 		}
 	} else if (!ast_strlen_zero(app)) {
-		/* To run the System application (or anything else that goes to shell), you must have the additional System privilege */
-		if (!(s->session->writeperm & EVENT_FLAG_SYSTEM)
-			&& (
-				strcasestr(app, "system") == 0 || /* System(rm -rf /)
-				                                     TrySystem(rm -rf /)       */
-				strcasestr(app, "exec") ||        /* Exec(System(rm -rf /))
-				                                     TryExec(System(rm -rf /)) */
-				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
-				                                     EAGI(/bin/rm,-rf /)       */
-				strstr(appdata, "SHELL") ||       /* NoOp(${SHELL(rm -rf /)})  */
-				strstr(appdata, "EVAL")           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
-				)) {
-			astman_send_error(s, m, "Originate with certain 'Application' arguments requires the additional System privilege, which you do not have.");
-			return 0;
-		}
 		res = ast_pbx_outgoing_app(tech, format, data, to, app, appdata, &reason, 1, l, n, vars, account, NULL);
 	} else {
 		if (exten && context && pi)