While doing a security audit on a system I maintain, I stumbled upon an unvalidated use of a variable to compose an Originate request to the local Asterisk instance via AMI. Taking as an example an earlier exploit for FreePBX, I realized that this, combined with Application: System as an injected value, could allow arbitrary code execution. I am in the process of fixing all instances of this bug in our system. However, there are third parties that plug into our system, and that reconfigure the manager.conf file to allow remote access to AMI logins that allow Originate (by default, the manager.conf remains configured to deny login to any system except localhost). I want to have a guideline on how to proceed in order to make these applications work, without allowing malicious users to compromise the system. I know that one way to proceed is to deny remote access to AMI, and build an application-specific proxy that will perform the Originate on behalf of the remote requester, after filtering the values. However, I want to know if there is a simpler way to remove the danger of code execution while allowing applications to use AMI to place calls.

The intended scenario is that a remote desktop application (for Windows) is configured with the AMI credentials, and connects over the LAN to Asterisk in order to place calls and otherwise monitor the system. The attack I want to protect against is that of a malicious user that collects the credentials from the desktop application and proceeds to use the Application: System trick. I know of the SSL support for AMI, but it will not protect against a malicious end user.

Hi all, I have been playing with the AMI quite a bit lately – mostly debugging WombatDialer in production, but that’s a different story – and I have been frustrated by the lack of a simple way to interact CLI-like with the AMI
itself. So I have decided to write something myself to make my life easier, or at least a bit less miserable.

The result is a little webapp that you can use as a sort of CLI-frontend to the AMI itself. It is not pretty, but pretty much effective. So I thought I
could share it and make someone else’s life a bit easier.

You can find it on https://github.com/l3nz/amiDebugger – if you just want to test-drive it get the WAR file an put it into some webapp container, e.g. Tomcat.

Hope you’ll like it. l.

Hi,

I write some php code in AMI to working with asterisk command. I don’t know exactly what is the different between AMI and agi and witch one is better for my planning. Im planning to call party users that their number is is my panel on web. We have some operator and they can call party users via client softphone by clicking on their number, so they have to limited to call just listed number and restrict to call another number. how can do permission to this plan? and how can get stored call record in asterisk (IVR recorded voice)
via php programming (AGI is better or AMI).

I have encountered a problem on an Ast 1.8 install where the AMI interface works fine (I can login and issues command to AMI directly using telnet), but when I use the JAMI/JAMA interface it fails. Using curl (HTTP) I can login fine to the JAMI, but as soon as I issue a second command it fails (despite saving session cookies and extending the httptimeout on the Asterisk side).

The two JAMI commands (login, then ping) are issued within 3 seconds of one another, so this should succeed (and it does on some other test systems). I read about this bug in Ast 1.6 but it should have been fixed by 1.8. See here for more details (http://noojee.com.au/forum/noojee-click/bug-reports/permission-denied-with-ajam/)

This happens to be a FreePBX system…not sure if that makes a difference.?

Ideas? Thanks!

I want to track the number of calls up at any given time, through the AMI. I found the Link and Unlink commands as the most likely candidates – is that the right way?

Also, a comment on the wiki suggests that Link may be called several times for a single bridge if transcoding is required. That blows up accuracy of my count of course…

Ideas?