[asterisk-bugs] [Asterisk 0018482]: Undefined SIP users can exploit default context to make calls

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Dec 16 00:08:28 UTC 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=18482 
====================================================================== 
Reported By:                ngupta
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   18482
Category:                   Channels/chan_sip/General
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.4.37 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-12-15 17:57 CST
Last Modified:              2010-12-15 18:08 CST
====================================================================== 
Summary:                    Undefined SIP users can exploit default context to
make calls
Description: 
A sip client can exploit the default context created in asterisk server.
Even when a user is not defined anywhere in asterisk config, that user can
place calls to users or extensions through 'default' context.

This is reproducible. Setup info is simple:
1. create an asterisk server
2. Dont care for any users
3. Start server
4. Pick any SIP client e.g. xten lite
5. Enter all info about asterisk server and pick a random user ID which
does not exist on asterisk.
6. xten lite will keep showing some error and asterisk logs will show 'No
matching peer found'
7. xten lite can still place calls to defined extensions
8. if outgoing plan is also part of 'default' context, then that undefined
user was able to dial outside using trunk.

I think this is a big security issue.
====================================================================== 

---------------------------------------------------------------------- 
 (0129635) ngupta (reporter) - 2010-12-15 18:08
 https://issues.asterisk.org/view.php?id=18482#c129635 
---------------------------------------------------------------------- 
I found my own solution. In sip.conf, there is a default option 
allowguest = yes

I changed it to 'no' and restarted asterisk. Its OK now. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-12-15 18:08 ngupta         Note Added: 0129635                          
======================================================================

More information about the asterisk-bugs mailing list