Asterisk Toolkit Local Privilege Escalation Vulnerability in safe_asterisk Script

A local privilege escalation vulnerability has been identified in the safe_asterisk script of the Asterisk toolkit package, affecting versions through 18.26.2, 20.15.0, 21.10.0, 22.5.0, 18.9-cert15, and 20.7-cert6. The vulnerability arises because the script, when executed to start Asterisk in non-systemd environments, runs all .sh files in the /etc/asterisk/startup.d/ directory as root. This occurs without checking the files' ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this by placing malicious scripts in the startup.d directory, which will be executed with root privileges when Asterisk is restarted.

Impact

Exploitation of this vulnerability allows non-root users to execute scripts as the root user, leading to unauthorized privilege escalation.

Reproduction

To reproduce this vulnerability, a non-root user with write permissions in the /etc/asterisk directory should create the /etc/asterisk/startup.d directory if it does not already exist. The user can then place a file named '01-test.sh' in the startup.d directory, containing a command to create a file in the /tmp directory. Afterward, Asterisk should be restarted using a method that triggers the safe_asterisk script, such as through a SysV init script or FreePBX's amportal start. Once Asterisk has been restarted, the user can check the /tmp directory for the test file, which will have been created with root ownership.

Remediation

Users can upgrade to Asterisk versions 18.26.3, 20.15.1, 21.10.1, 22.5.1, 18.9-cert16, or 20.7-cert7 to address this vulnerability.