manager.c: Prevent the Originate action from running the Originate app
authorGeorge Joseph <gjoseph@digium.com>
Thu, 24 Oct 2019 17:41:23 +0000 (11:41 -0600)
committerGerrit <noreply@gerrit.asterisk.org>
Thu, 21 Nov 2019 15:41:07 +0000 (09:41 -0600)
If an AMI user without the "system" authorization calls the
Originate AMI command with the Originate application,
the second Originate could run the "System" command.

Action: Originate
Channel: Local/1111
Application: Originate
Data: Local/2222,app,System,touch /tmp/owned

If the "system" authorization isn't set, we now block the
Originate app as well as the System, Exec, etc. apps.

ASTERISK-28580
Reported by: Eliel SardaƱons

Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa

doc/UPGRADE-staging/AMI-Originate.txt [new file with mode: 0644]
main/manager.c

diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
new file mode 100644 (file)
index 0000000..f2d3133
--- /dev/null
@@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.
index dd099c5..2d6897c 100644 (file)
@@ -5744,6 +5744,7 @@ static int action_originate(struct mansession *s, const struct message *m)
                                                                     EAGI(/bin/rm,-rf /)       */
                                strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
                                strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+                               strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
                                (strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
                                (strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
                                )) {