From 064bd035e7cc6b99b837c1a6a1cc3900e2dbe113 Mon Sep 17 00:00:00 2001 From: Jonathan Rose Date: Thu, 12 Jun 2014 15:22:02 +0000 Subject: [PATCH] MixMonitor: Add class authorization requirements to MixMonitor AMI commands MixMonitor AMI commands StartMixMonitor and StopMixMonitor lacked class authorization. StopMixMonitor now requires that the manager user either have the call or system class authorization. StartMixMonitor is a slightly larger issue since it can execute shell commands if the right arguments are passed into it, and we consider this a permission escalation. A security release will be issued for problem this shortly. ASTERISK-23609 #close Reported by: Corey Farrell git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@415825 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- UPGRADE.txt | 5 +++++ apps/app_mixmonitor.c | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/UPGRADE.txt b/UPGRADE.txt index 696d4c2a8d..2e371e0a6d 100644 --- a/UPGRADE.txt +++ b/UPGRADE.txt @@ -24,6 +24,11 @@ from 11.9 to 11.10 - The asterisk command line -I option and the asterisk.conf internal_timing option are removed and always enabled if any timing module is loaded. + - MixMonitor AMI actions now require users to have authorization classes. + * MixMonitor - system + * MixMonitorMute - call or system + * StopMixMonitor - call or system + - Added a new Compiler Flag, REF_DEBUG. When enabled, reference counted objects will emit additional debug information to the refs log file located in the standard Asterisk log file directory. This log file is useful in diff --git a/apps/app_mixmonitor.c b/apps/app_mixmonitor.c index 6333fd572c..235b3d17c5 100644 --- a/apps/app_mixmonitor.c +++ b/apps/app_mixmonitor.c @@ -1376,9 +1376,9 @@ static int load_module(void) ast_cli_register_multiple(cli_mixmonitor, ARRAY_LEN(cli_mixmonitor)); res = ast_register_application_xml(app, mixmonitor_exec); res |= ast_register_application_xml(stop_app, stop_mixmonitor_exec); - res |= ast_manager_register_xml("MixMonitorMute", 0, manager_mute_mixmonitor); - res |= ast_manager_register_xml("MixMonitor", 0, manager_mixmonitor); - res |= ast_manager_register_xml("StopMixMonitor", 0, manager_stop_mixmonitor); + res |= ast_manager_register_xml("MixMonitorMute", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_mute_mixmonitor); + res |= ast_manager_register_xml("MixMonitor", EVENT_FLAG_SYSTEM, manager_mixmonitor); + res |= ast_manager_register_xml("StopMixMonitor", EVENT_FLAG_SYSTEM | EVENT_FLAG_CALL, manager_stop_mixmonitor); return res; } -- 2.47.2