manager.c: Prevent the Originate action from running the Originate app

If an AMI user without the "system" authorization calls the
Originate AMI command with the Originate application,
the second Originate could run the "System" command.

Action: Originate
Channel: Local/1111
Application: Originate
Data: Local/2222,app,System,touch /tmp/owned

If the "system" authorization isn't set, we now block the
Originate app as well as the System, Exec, etc. apps.

ASTERISK-28580
Reported by: Eliel Sardañons

Change-Id: Ic4c9dedc34c426f03c8c14fce334a71386d8a5fa
(cherry picked from commit 1b9281a5ded62e5d30af2959e5aa33bc5a0fc285)

diff --git a/doc/UPGRADE-staging/AMI-Originate.txt b/doc/UPGRADE-staging/AMI-Originate.txt
new file mode 100644 (file)
index 0000000..f2d3133
--- /dev/null
+++ b/doc/UPGRADE-staging/AMI-Originate.txt
@@ -0,0 +1,5 @@
+Subject: AMI
+
+The AMI Originate action, which optionally takes a dialplan application as
+an argument, no longer accepts "Originate" as the application due to
+security concerns.

diff --git a/main/manager.c b/main/manager.c
index 69cbe3746750fb5083f3159034e8f3129f27bf10..f96195e3d664979909184018199eefa28e9fbde1 100644 (file)
--- a/main/manager.c
+++ b/main/manager.c
@@ -5698,6 +5698,7 @@ static int action_originate(struct mansession *s, const struct message *m)
                                                                     EAGI(/bin/rm,-rf /)       */
                                strcasestr(app, "mixmonitor") ||  /* MixMonitor(blah,,rm -rf)  */
                                strcasestr(app, "externalivr") || /* ExternalIVR(rm -rf)       */
+                               strcasestr(app, "originate") ||   /* Originate(Local/1234,app,System,rm -rf) */
                                (strstr(appdata, "SHELL") && (bad_appdata = 1)) ||       /* NoOp(${SHELL(rm -rf /)})  */
                                (strstr(appdata, "EVAL") && (bad_appdata = 1))           /* NoOp(${EVAL(${some_var_containing_SHELL})}) */
                                )) {