Asterisk Privilege Escalation Vulnerability via World-Writable GDB Initialization Files

A vulnerability in Asterisk's core dumper component allows for privilege escalation. When the ast_coredumper writes GDB initialization and output files to a world-writable directory, such as /tmp, an attacker can manipulate these files to execute arbitrary commands or overwrite files. This is possible because all users on a Linux system have write permissions to these directories. The issue arises in Asterisk versions prior to 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands with root privileges, allowing an attacker to escalate privileges and potentially manipulate or delete files, further increasing the risk of privilege escalation.

Reproduction

The vulnerability can be reproduced by allowing the ast_coredumper to write GDB files to a world-writable directory. An attacker can then pre-create or symlink the GDB initialization file to another file, or race the script to modify the GDB initialization file before it is executed by GDB. This can be done by exploiting the timing of the file writes and GDB's execution.

Remediation

Users can upgrade to Asterisk versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, or 23.2.2 to address this vulnerability.