[Pkg-voip-commits] r9938 - in /asterisk/branches/squeeze/debian: changelog patches/AST-2012-004-MixMonitor patches/AST-2012-012 patches/AST-2012-013 patches/series
tzafrir at alioth.debian.org
tzafrir at alioth.debian.org
Fri Aug 31 02:03:45 UTC 2012
Author: tzafrir
Date: Fri Aug 31 02:03:44 2012
New Revision: 9938
URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9938
Log:
* Patch AST-2012-004-MixMonitor: Accidentally left out of patch AST-2012-004
* Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
* Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
by some IAX2 peers.
Added:
asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor
asterisk/branches/squeeze/debian/patches/AST-2012-012
asterisk/branches/squeeze/debian/patches/AST-2012-013
Modified:
asterisk/branches/squeeze/debian/changelog
asterisk/branches/squeeze/debian/patches/series
Modified: asterisk/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/changelog?rev=9938&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/changelog (original)
+++ asterisk/branches/squeeze/debian/changelog Fri Aug 31 02:03:44 2012
@@ -1,11 +1,14 @@
asterisk (1:1.6.2.9-2+squeeze7) UNRELEASED; urgency=low
-
- [ Tzafrir Cohen ]
- * NOT RELEASED YET
[ Victor Seva ]
* Patch AST-2012-010 : Possible resource leak on uncompleted
re-invite transactions.
+
+ [ Tzafrir Cohen ]
+ * Patch AST-2012-004-MixMonitor: Accidentally left out of patch AST-2012-004
+ * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
+ * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
+ by some IAX2 peers.
-- Victor Seva <linuxmaniac at torreviejawireless.org> Fri, 06 Jul 2012 09:10:35 +0200
Added: asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor?rev=9938&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-004-MixMonitor Fri Aug 31 02:03:44 2012
@@ -1,0 +1,30 @@
+From a0d894b7ce49018f9c473aba1617bbe030fe6c10 Mon Sep 17 00:00:00 2001
+From: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+Date: Fri, 31 Aug 2012 02:22:06 +0300
+Subject: [PATCH] AMI Originate: Forbid MixMonitor as well
+
+Add MixMonitor to the list of patters that detect a "system"
+command that is forbidden to a simple "originate"-level
+Originate.
+
+Should have been included in AST-2012-004 but seem to have been lost in
+the backporting.
+---
+ main/manager.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/main/manager.c b/main/manager.c
+index affe853..a097847 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -2533,6 +2533,7 @@ static int action_originate(struct mansession *s, const struct message *m)
+ TryExec(System(rm -rf /)) */
+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
+ EAGI(/bin/rm,-rf /) */
++ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
+ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
+ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+--
+1.7.10.4
+
Added: asterisk/branches/squeeze/debian/patches/AST-2012-012
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-012?rev=9938&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-012 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-012 Fri Aug 31 02:03:44 2012
@@ -1,0 +1,125 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Thu, 30 Aug 2012 16:05:23 +0000
+Subject: AST-2012-012: AMI User Shell Access with ExternalIVR
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=371998
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20132
+CVE: CVE-2012-2186
+
+The AMI Originate action can allow a remote user to specify information that can
+be used to execute shell commands on the system hosting Asterisk. This can
+result in an unwanted escalation of permissions, as the Originate action, which
+requires the "originate" class authorization, can be used to perform actions
+that would typically require the "system" class authorization. Previous attempts
+to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
+to do so by inspecting the names of applications and functions passed in with
+the Originate action and, if those applications/functions matched a predefined
+set of values, rejecting the command if the user lacked the "system" class
+authorization. As reported by IBM X-Force Research, the "ExternalIVR"
+application is not listed in the predefined set of values. The solution for
+this particular vulnerability is to include the "ExternalIVR" application in the
+set of defined applications/functions that require "system" class authorization.
+
+Unfortunately, the approach of inspecting fields in the Originate action against
+known applications/functions has a significant flaw. The predefined set of
+values can be bypassed by creative use of the Originate action or by certain
+dialplan configurations, which is beyond the ability of Asterisk to analyze at
+run-time. Attempting to work around these scenarios would result in severely
+restricting the applications or functions and prevent their usage for legitimate
+means. As such, any additional security vulnerabilities, where an
+application/function that would normally require the "system" class
+authorization can be executed by users with the "originate" class authorization,
+will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
+been updated to reflect that the AMI Originate action can result in commands
+requiring the "system" class authorization to be executed. Proper system
+configuration can limit the impact of such scenarios.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-012.html
+
+Reported by: Zubair Ashraf of IBM X-Force Research
+
+---
+ README-SERIOUSLY.bestpractices.txt | 51 ++++++++++++++++++++++++++++++++++++
+ main/manager.c | 1 +
+ 2 files changed, 52 insertions(+)
+
+diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt
+index 0e2af3b..b470fd6 100644
+--- a/README-SERIOUSLY.bestpractices.txt
++++ b/README-SERIOUSLY.bestpractices.txt
+@@ -23,6 +23,9 @@ Sections
+ * Reducing Pattern Match Typos:
+ Using the 'same' prefix, or using Goto()
+
++* Manager Class Authorizations:
++ Recognizing potential issues with certain classes of authorization
++
+ ----------------
+ Additional Links
+ ----------------
+@@ -293,3 +296,51 @@ same => n,Hangup()
+ exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
+ same => n,Playback(silence/1&num-not-in-db)
+ same => n,Hangup()
++
++
++============================
++Manager Class Authorizations
++============================
++
++Manager accounts have associated class authorizations that define what actions
++and events that account can execute/receive. In order to run Asterisk commands
++or dialplan applications that affect the system Asterisk executes on, the
++"system" class authorization should be set on the account.
++
++However, Manager commands that originate new calls into the Asterisk dialplan
++have the potential to alter or affect the system as well, even though the
++class authorization for origination commands is "originate". Take, for example,
++the Originate manager command:
++
++Action: Originate
++Channel: SIP/foo
++Exten: s
++Context: default
++Priority: 1
++Application: System
++Data: echo hello world!
++
++This manager command will attempt to execute an Asterisk application, System,
++which is normally associated with the "system" class authorication. While some
++checks have been put into Asterisk to take this into account, certain dialplan
++configurations and/or clever manipulation of the Originate manager action can
++circumvent these checks. For example, take the following dialplan:
++
++exten => s,1,Verbose(Incoming call)
++same => n,MixMonitor(foo.wav,,${EXEC_COMMAND})
++same => n,Dial(SIP/bar)
++same => n,Hangup()
++
++Whatever has been defined in the variable EXEC_COMMAND will be executed after
++MixMonitor has finished recording the call. The dialplan writer may have
++intended that this variable to be set by some other location in the dialplan;
++however, the Manager action Originate allows for channel variables to be set by
++the account initiating the new call. This could allow the Originate action to
++execute some command on the system by setting the EXEC_COMMAND dialplan variable
++in the Variable: header.
++
++In general, you should treat the Manager class authorization "originate" the
++same as the class authorization "system". Good system configuration, such as
++not running Asterisk as root, can prevent serious problems from arising when
++allowing external connections to originate calls into Asterisk.
++
+diff --git a/main/manager.c b/main/manager.c
+index 6808512..f2dfa32 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -4083,6 +4083,7 @@ static int action_originate(struct mansession *s, const struct message *m)
+ strcasestr(app, "agi") || /* AGI(/bin/rm,-rf /)
+ EAGI(/bin/rm,-rf /) */
+ strcasestr(app, "mixmonitor") || /* MixMonitor(blah,,rm -rf) */
++ strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf) */
+ (strstr(appdata, "SHELL") && (bad_appdata = 1)) || /* NoOp(${SHELL(rm -rf /)}) */
+ (strstr(appdata, "EVAL") && (bad_appdata = 1)) /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ )) {
+--
+1.7.10.4
+
Added: asterisk/branches/squeeze/debian/patches/AST-2012-013
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/AST-2012-013?rev=9938&op=file
==============================================================================
--- asterisk/branches/squeeze/debian/patches/AST-2012-013 (added)
+++ asterisk/branches/squeeze/debian/patches/AST-2012-013 Fri Aug 31 02:03:44 2012
@@ -1,0 +1,58 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Thu, 30 Aug 2012 16:21:34 +0000
+Subject: AST-2012-013: ACL rules ignored during calls by some IAX2 peers
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=372015
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20186
+CVE: CVE-2012-4737
+
+When an IAX2 call is made using the credentials of a peer defined in a dynamic
+Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
+not applied to the call attempt. This allows for a remote attacker who is aware
+of a peer's credentials to bypass the ACL rules set for that peer.
+
+This patch ensures that the ACLs are applied for all peers, regardless of their
+storage mechanism.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-013.html
+
+Reported by: Alan Frisch
+Tested by: mjordan, Alan Frisch
+
+git-svn-id: http://svn.asterisk.org/svn/asterisk/branches/1.8@372015 f38db490-d61c-443f-a65b-d21fe96a405b
+---
+ channels/chan_iax2.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 22b873f..d3ec720 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -7615,10 +7615,10 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
+ i = ao2_iterator_init(users, 0);
+ while ((user = ao2_iterator_next(&i))) {
+ if ((ast_strlen_zero(iaxs[callno]->username) || /* No username specified */
+- !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
+- && ast_apply_ha(user->ha, sin) /* Access is permitted from this IP */
++ !strcmp(iaxs[callno]->username, user->name)) /* Or this username specified */
++ && ast_apply_ha(user->ha, sin) == AST_SENSE_ALLOW /* Access is permitted from this IP */
+ && (ast_strlen_zero(iaxs[callno]->context) || /* No context specified */
+- apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
++ apply_context(user->contexts, iaxs[callno]->context))) { /* Context is permitted */
+ if (!ast_strlen_zero(iaxs[callno]->username)) {
+ /* Exact match, stop right now. */
+ if (best)
+@@ -7674,8 +7674,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
+ user = best;
+ if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
+ user = realtime_user(iaxs[callno]->username, sin);
+- if (user && !ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
+- !apply_context(user->contexts, iaxs[callno]->context)) { /* Context is permitted */
++ if (user && (ast_apply_ha(user->ha, sin) == AST_SENSE_DENY /* Access is denied from this IP */
++ || (!ast_strlen_zero(iaxs[callno]->context) && /* No context specified */
++ !apply_context(user->contexts, iaxs[callno]->context)))) { /* Context is permitted */
+ user = user_unref(user);
+ }
+ }
+--
+1.7.10.4
+
Modified: asterisk/branches/squeeze/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/squeeze/debian/patches/series?rev=9938&op=diff
==============================================================================
--- asterisk/branches/squeeze/debian/patches/series (original)
+++ asterisk/branches/squeeze/debian/patches/series Fri Aug 31 02:03:44 2012
@@ -49,8 +49,12 @@
AST-2011-014
AST-2012-002
AST-2012-004
+# Accidentally missing from original AST-2012-004:
+AST-2012-004-MixMonitor
AST-2012-005
AST-2012-007
skinny_fix_16040
AST-2012-008
AST-2012-010
+AST-2012-012
+AST-2012-013
More information about the Pkg-voip-commits
mailing list