minor privilege escalation in asterisk package

[Niels Galjaard]

Hi,

I noticed some time ago that the asterisk when installed on recent
Ubuntu versions Asterisk has a minor privilege escalation
vulnerability in the systemd file. Since the command line arguments do
not contain -G the user asterisk:asterisk can modify the
/etc/asterisk/asterisk.conf with rungroup=disk. Subsequently you can
crash the asterisk process and wait for "Restart=on-failure" to now
trigger any script you want with "asterisk:disk". This gives more
permissions than required.

The user is disabled of course, but it is possible to abuse the CLI or
AMI to get code execution in the asterisk user context. Using this in
conjunction with the above bug, that becomes a much larger problem. As
far as I can tell there is no functional change to adding the -G flag
other than making the above privilege escalation impossible. We've run
it with this command line flag in our service file for quite some time
in the company I work for.

The ExecStart line of the systemd file is created in
asterisk/debian/patches/1006_systemd.patch. I think just appending
"-G asterisk" to line 94 is sufficient. But I could be wrong as I
don't know anything about the process of building a deb package. It
also seems to be present in multiple versions of deb files. As far as
I can tell all versions of the systemd file of debian and ubuntu are
affected.

I mistakenly believed this to be a problem in Asterisk itself, But
their codebase seems to not include these settings. So this was
already reported to the creators of asterisk as well via the security
tab on github.

Could you please message me back if either, you don't consider this a
problem or you have published the fix. As this is part of a talk I
want to give at a local security conference. I will presume this is
sensitive and refrain from talking about it until I hear back from you
or 6 months have passed since this message.

Kind regards,

Niels