<div dir="ltr">PSC<br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Asterisk Security Team</b> <span dir="ltr"><<a href="mailto:security@asterisk.org">security@asterisk.org</a>></span><br>
Date: 2013/12/16<br>Subject: [asterisk-dev] AST-2013-007: Asterisk Manager User Dialplan Permission Escalation<br>To: <a href="mailto:asterisk-dev@lists.digium.com">asterisk-dev@lists.digium.com</a><br><br><br> Asterisk Project Security Advisory - AST-2013-007<br>
<br>
Product Asterisk<br>
Summary Asterisk Manager User Dialplan Permission Escalation<br>
Nature of Advisory Permission Escalation<br>
Susceptibility Remote Authenticated Sessions<br>
Severity Minor<br>
Exploits Known None<br>
Reported On November 25, 2013<br>
Reported By Matt Jordan<br>
Posted On December 16, 2013<br>
Last Updated On December 16, 2013<br>
Advisory Contact David Lee < dlee AT digium DOT com ><br>
CVE Name Pending<br>
<br>
Description External control protocols, such as the Asterisk Manager<br>
Interface, often have the ability to get and set channel<br>
variables; this allows the execution of dialplan functions.<br>
<br>
Dialplan functions within Asterisk are incredibly powerful,<br>
which is wonderful<br>
<br>
for building applications using Asterisk. But during the<br>
read or write execution, certain diaplan functions do much<br>
more. For example, reading the SHELL() function can execute<br>
arbitrary commands on the system Asterisk is running on.<br>
Writing to the FILE() function can change any file that<br>
Asterisk has write access to.<br>
<br>
When these functions are executed from an external<br>
protocol, that execution could result in a privilege<br>
escalation.<br>
<br>
Resolution Asterisk can now inhibit the execution of these functions<br>
from external interfaces such as AMI, if live_dangerously in<br>
the [options] section of asterisk.conf is set to no.<br>
<br>
For backwards compatibility, live_dangerously defaults to<br>
yes, and must be explicitly set to no to enable this<br>
privilege escalation protection.<br>
<br>
Affected Versions<br>
Product Release Series<br>
Asterisk Open Source 1.8.x All Versions<br>
Asterisk Open Source 10.x All Versions<br>
Asterisk with Digiumphones 10.x-digiumphones All Versions<br>
Asterisk Open Source 11.x All Versions<br>
Certified Asterisk 1.8.x All Versions<br>
Certified Asterisk 11.x All Versions<br>
<br>
Corrected In<br>
Product Release<br>
Asterisk Open Source 1.8.24.1, 10.12.4, 11.6.1<br>
Asterisk with Digiumphones 10.12.4-digiumphones<br>
Certified Asterisk 1.8.15-cert4, 11.2-cert3<br>
<br>
Patches<br>
SVN URL Revision<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.diff</a> Asterisk 1.8<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-10.diff</a> Asterisk 10<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-10-digiumphones.diff</a> Asterisk<br>
10-digiumphones<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-11.diff</a> Asterisk 11<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-1.8.15.diff</a> Certified<br>
Asterisk 1.8.15<br>
<a href="http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff" target="_blank">http://downloads.asterisk.org/pub/security/AST-2013-007-11.2.diff</a> Certified<br>
Asterisk 11.2<br>
<br>
Links <a href="https://issues.asterisk.org/jira/browse/ASTERISK-22905" target="_blank">https://issues.asterisk.org/jira/browse/ASTERISK-22905</a><br>
<br>
Asterisk Project Security Advisories are posted at<br>
<a href="http://www.asterisk.org/security" target="_blank">http://www.asterisk.org/security</a><br>
<br>
This document may be superseded by later versions; if so, the latest<br>
version will be posted at<br>
<a href="http://downloads.digium.com/pub/security/AST-2013-007.pdf" target="_blank">http://downloads.digium.com/pub/security/AST-2013-007.pdf</a> and<br>
<a href="http://downloads.digium.com/pub/security/AST-2013-007.html" target="_blank">http://downloads.digium.com/pub/security/AST-2013-007.html</a><br>
<br>
Revision History<br>
Date Editor Revisions Made<br>
12/16/2013 Matt Jordan Initial Revision<br>
<br>
Asterisk Project Security Advisory - AST-2013-007<br>
Copyright (c) 2013 Digium, Inc. All Rights Reserved.<br>
Permission is hereby granted to distribute and publish this advisory in its<br>
original, unaltered form.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-dev mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-dev" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-dev</a><br>
</font></span></div><br><br clear="all"><div><br></div>-- <br><span style="font-family:trebuchet ms,sans-serif">Sylvio Jollenbeck<br><font size="1"><a href="http://www.hosannatecnologia.com.br/" target="_blank">www.hosannatecnologia.com.br</a></font></span><br>
<img src="http://www.hosannatecnologia.com.br/pixel.fw.png"><br>
</div>