[Pkg-voip-commits] r9939 - in /asterisk/trunk/debian: changelog patches/AST-2012-012 patches/AST-2012-013 patches/series

tzafrir at alioth.debian.org tzafrir at alioth.debian.org
Fri Aug 31 02:11:09 UTC 2012 

Author: tzafrir
Date: Fri Aug 31 02:11:08 2012
New Revision: 9939

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=9939
Log:
* Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
* Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
  by some IAX2 peers.

Added:
    asterisk/trunk/debian/patches/AST-2012-012
    asterisk/trunk/debian/patches/AST-2012-013
Modified:
    asterisk/trunk/debian/changelog
    asterisk/trunk/debian/patches/series

Modified: asterisk/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/changelog?rev=9939&op=diff
==============================================================================
--- asterisk/trunk/debian/changelog (original)
+++ asterisk/trunk/debian/changelog Fri Aug 31 02:11:08 2012
@@ -3,6 +3,9 @@
   * New upstream release (Closes: #680470):
     - Fixes AST-2012-010 (CVE-2012-3863).
     - Fixes AST-2012-011 (CVE-2012-38612).
+  * Patch AST-2012-012 (CVE-2012-2186): AMI User Shell Access with ExternalIVR
+  * Patch AST-2012-012 (CVE-2012-4737): ACL rules ignored during calls
+    by some IAX2 peers.
 
  -- Tzafrir Cohen <tzafrir at debian.org>  Fri, 31 Aug 2012 00:14:42 +0300
 

Added: asterisk/trunk/debian/patches/AST-2012-012
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2012-012?rev=9939&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2012-012 (added)
+++ asterisk/trunk/debian/patches/AST-2012-012 Fri Aug 31 02:11:08 2012
@@ -1,0 +1,124 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Thu, 30 Aug 2012 16:05:23 +0000
+Subject: AST-2012-012: AMI User Shell Access with ExternalIVR
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=371998
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20132
+CVE: CVE-2012-2186
+
+The AMI Originate action can allow a remote user to specify information that can
+be used to execute shell commands on the system hosting Asterisk. This can
+result in an unwanted escalation of permissions, as the Originate action, which
+requires the "originate" class authorization, can be used to perform actions
+that would typically require the "system" class authorization. Previous attempts
+to prevent this permission escalation (AST-2011-006, AST-2012-004) have sought
+to do so by inspecting the names of applications and functions passed in with
+the Originate action and, if those applications/functions matched a predefined
+set of values, rejecting the command if the user lacked the "system" class
+authorization. As reported by IBM X-Force Research, the "ExternalIVR"
+application is not listed in the predefined set of values. The solution for
+this particular vulnerability is to include the "ExternalIVR" application in the
+set of defined applications/functions that require "system" class authorization.
+
+Unfortunately, the approach of inspecting fields in the Originate action against
+known applications/functions has a significant flaw. The predefined set of
+values can be bypassed by creative use of the Originate action or by certain
+dialplan configurations, which is beyond the ability of Asterisk to analyze at
+run-time. Attempting to work around these scenarios would result in severely
+restricting the applications or functions and prevent their usage for legitimate
+means. As such, any additional security vulnerabilities, where an
+application/function that would normally require the "system" class
+authorization can be executed by users with the "originate" class authorization,
+will not be addressed. Instead, the README-SERIOUSLY.bestpractices.txt file has
+been updated to reflect that the AMI Originate action can result in commands
+requiring the "system" class authorization to be executed. Proper system
+configuration can limit the impact of such scenarios.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-012.html
+
+Reported by: Zubair Ashraf of IBM X-Force Research
+---
+ README-SERIOUSLY.bestpractices.txt |   51 ++++++++++++++++++++++++++++++++++++
+ main/manager.c                     |    1 +
+ 2 files changed, 52 insertions(+)
+
+diff --git a/README-SERIOUSLY.bestpractices.txt b/README-SERIOUSLY.bestpractices.txt
+index 0e2af3b..b470fd6 100644
+--- a/README-SERIOUSLY.bestpractices.txt
++++ b/README-SERIOUSLY.bestpractices.txt
+@@ -23,6 +23,9 @@ Sections
+ * Reducing Pattern Match Typos: 
+         Using the 'same' prefix, or using Goto()
+ 
++* Manager Class Authorizations:
++        Recognizing potential issues with certain classes of authorization
++
+ ----------------
+ Additional Links
+ ----------------
+@@ -293,3 +296,51 @@ same => n,Hangup()
+ exten => error,1,Verbose(2,Unable to lookup technology or device for extension)
+ same => n,Playback(silence/1&num-not-in-db)
+ same => n,Hangup()
++
++
++============================
++Manager Class Authorizations
++============================
++
++Manager accounts have associated class authorizations that define what actions
++and events that account can execute/receive.  In order to run Asterisk commands
++or dialplan applications that affect the system Asterisk executes on, the
++"system" class authorization should be set on the account.
++
++However, Manager commands that originate new calls into the Asterisk dialplan
++have the potential to alter or affect the system as well, even though the
++class authorization for origination commands is "originate".  Take, for example,
++the Originate manager command:
++
++Action: Originate
++Channel: SIP/foo
++Exten: s
++Context: default
++Priority: 1
++Application: System
++Data: echo hello world!
++
++This manager command will attempt to execute an Asterisk application, System,
++which is normally associated with the "system" class authorication.  While some
++checks have been put into Asterisk to take this into account, certain dialplan
++configurations and/or clever manipulation of the Originate manager action can
++circumvent these checks.  For example, take the following dialplan:
++
++exten => s,1,Verbose(Incoming call)
++same => n,MixMonitor(foo.wav,,${EXEC_COMMAND})
++same => n,Dial(SIP/bar)
++same => n,Hangup()
++
++Whatever has been defined in the variable EXEC_COMMAND will be executed after
++MixMonitor has finished recording the call.  The dialplan writer may have
++intended that this variable to be set by some other location in the dialplan;
++however, the Manager action Originate allows for channel variables to be set by
++the account initiating the new call.  This could allow the Originate action to
++execute some command on the system by setting the EXEC_COMMAND dialplan variable
++in the Variable: header.
++
++In general, you should treat the Manager class authorization "originate" the
++same as the class authorization "system".  Good system configuration, such as
++not running Asterisk as root, can prevent serious problems from arising when
++allowing external connections to originate calls into Asterisk.
++
+diff --git a/main/manager.c b/main/manager.c
+index 6808512..f2dfa32 100644
+--- a/main/manager.c
++++ b/main/manager.c
+@@ -4083,6 +4083,7 @@ static int action_originate(struct mansession *s, const struct message *m)
+ 				strcasestr(app, "agi") ||         /* AGI(/bin/rm,-rf /)
+ 				                                     EAGI(/bin/rm,-rf /)       */
+ 				strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
++				strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+ 				(strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
+ 				(strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
+ 				)) {
+-- 
+1.7.10.4
+

Added: asterisk/trunk/debian/patches/AST-2012-013
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/AST-2012-013?rev=9939&op=file
==============================================================================
--- asterisk/trunk/debian/patches/AST-2012-013 (added)
+++ asterisk/trunk/debian/patches/AST-2012-013 Fri Aug 31 02:11:08 2012
@@ -1,0 +1,56 @@
+From: Matthew Jordan <mjordan at digium.com>
+Date: Thu, 30 Aug 2012 16:21:34 +0000
+Subject: AST-2012-013: ACL rules ignored during calls by some IAX2 peers
+Origin: http://svnview.digium.com/svn/asterisk?view=rev&rev=372015
+Bug: https://issues.asterisk.org/jira/browse/ASTERISK-20186
+CVE: CVE-2012-4737
+
+When an IAX2 call is made using the credentials of a peer defined in a dynamic
+Asterisk Realtime Architecture (ARA) backend, the ACL rules for that peer are
+not applied to the call attempt. This allows for a remote attacker who is aware
+of a peer's credentials to bypass the ACL rules set for that peer.
+
+This patch ensures that the ACLs are applied for all peers, regardless of their
+storage mechanism.
+
+See Also: http://downloads.asterisk.org/pub/security/AST-2012-013.html
+
+Reported by: Alan Frisch
+Tested by: mjordan, Alan Frisch
+---
+ channels/chan_iax2.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
+index 22b873f..d3ec720 100644
+--- a/channels/chan_iax2.c
++++ b/channels/chan_iax2.c
+@@ -7615,10 +7615,10 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
+ 	i = ao2_iterator_init(users, 0);
+ 	while ((user = ao2_iterator_next(&i))) {
+ 		if ((ast_strlen_zero(iaxs[callno]->username) ||				/* No username specified */
+-			!strcmp(iaxs[callno]->username, user->name))	/* Or this username specified */
+-			&& ast_apply_ha(user->ha, &addr) 	/* Access is permitted from this IP */
++			!strcmp(iaxs[callno]->username, user->name))			/* Or this username specified */
++			&& ast_apply_ha(user->ha, &addr) == AST_SENSE_ALLOW		/* Access is permitted from this IP */
+ 			&& (ast_strlen_zero(iaxs[callno]->context) ||			/* No context specified */
+-			     apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
++				apply_context(user->contexts, iaxs[callno]->context))) {			/* Context is permitted */
+ 			if (!ast_strlen_zero(iaxs[callno]->username)) {
+ 				/* Exact match, stop right now. */
+ 				if (best)
+@@ -7674,8 +7674,9 @@ static int check_access(int callno, struct sockaddr_in *sin, struct iax_ies *ies
+ 	user = best;
+ 	if (!user && !ast_strlen_zero(iaxs[callno]->username)) {
+ 		user = realtime_user(iaxs[callno]->username, sin);
+-		if (user && !ast_strlen_zero(iaxs[callno]->context) &&			/* No context specified */
+-		    !apply_context(user->contexts, iaxs[callno]->context)) {		/* Context is permitted */
++		if (user && (ast_apply_ha(user->ha, &addr) == AST_SENSE_DENY		/* Access is denied from this IP */
++			|| (!ast_strlen_zero(iaxs[callno]->context) &&					/* No context specified */
++				!apply_context(user->contexts, iaxs[callno]->context)))) {	/* Context is permitted */
+ 			user = user_unref(user);
+ 		}
+ 	}
+-- 
+1.7.10.4
+

Modified: asterisk/trunk/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/trunk/debian/patches/series?rev=9939&op=diff
==============================================================================
--- asterisk/trunk/debian/patches/series (original)
+++ asterisk/trunk/debian/patches/series Fri Aug 31 02:11:08 2012
@@ -25,3 +25,6 @@
 menuselect_cflags
 ilbc_disable
 httpd_port
+
+AST-2012-012
+AST-2012-013

More information about the Pkg-voip-commits mailing list