[asterisk-bugs] [JIRA] Updated: (ASTERISK-20186) Security Vulnerability: IAX2 peer's NEW message bypasses ACL defined in realtime
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Thu Aug 30 15:55:07 CDT 2012
[ https://issues.asterisk.org/jira/browse/ASTERISK-20186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-20186:
-----------------------------------
Target Release Version/s: 1.8.15.1
10.7.1
10.7.1-digiumphones
Security: (was: Reporter, Bug Marshals, and Digium)
> Security Vulnerability: IAX2 peer's NEW message bypasses ACL defined in realtime
> --------------------------------------------------------------------------------
>
> Key: ASTERISK-20186
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20186
> Project: Asterisk
> Issue Type: Bug
> Components: Channels/chan_iax2
> Affects Versions: 1.8.15.0, 10.7.0, 10.7.0-digiumphones
> Reporter: Matt Jordan
> Assignee: Matt Jordan
> Fix For: 1.8.15.1, 10.7.1, 10.7.1-digiumphones
>
> Attachments: AST-2012-013-10.diff, AST-2012-013-11.diff, AST-2012-013-1.8.diff
>
>
> From the issue reporter:
> I believe I have found a potential IAX2 security issue. I have tested this on both on asterisk-1.6.2.24 asterisk-1.8.14.1. In both cases, I am using Realtime IAX and testing with a ZoIPer softphone and am seemingly able to bypass the deny/permit directives. This does not occur with regular .conf files, only via Realtime.
> Let's say User "test1a" is at 9.8.7.6 and User "test1234567" is at 1.2.3.4.
> Here is the entries from the Realtime IAX table:
> {noformat}
> +-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+
> | client_id | name | type | transfer | canreinvite | cancallforward | username | accountcode | secret | amaflags | context | callerid | host | defaultip | deny | permit | ipaddr | port | fullcontact | regseconds |
> +-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+
> | 30 | test1a | friend | no | no | no | test1a | test1a | xxxxxxxxxx | billing | internl | 12125551212 | dynamic | NULL | 0.0.0.0/0.0.0.0 | 0.0.0.0/0.0.0.0 | 0.0.0.0 | 0 | NULL | 0 |
> +-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+
> +-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
> | client_id | name | type | transfer | canreinvite | cancallforward | username | accountcode | secret | amaflags | context | callerid | host | defaultip | deny | permit | ipaddr | port | fullcontact | regseconds |
> +-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
> | 41 | test1234567 | friend | no | no | no | test1234567 | test1234567 | xxxxxxxx | billing | internl | | dynamic | NULL | 0.0.0.0/0.0.0.0 | 1.2.3.4/255.255.255.255 | 0.0.0.0 | 0 | NULL | 0 |
> +-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
> {noformat}
> If from a cold start of the server or if the first user has not registered for awhile (long after their registration expired), the first user (9.8.7.6) attempts to register or make a call to test1234567 (which only permits 1.2.3.4), the registration or call without registration will be denied (desired behavior).
> [Jul 27 00:15:04] NOTICE[28571]: chan_iax2.c:7711 register_verify: Host 9.8.7.6 denied access to register peer 'test1234567'
> ^^^ OK
> However, if "test1a" registers using their own credentials and then changes their credentials (username and password) to that of test1234567... they are able to bypass the deny/permit and make calls using the second users credentials. Registration will be still be blocked as is desired, but calls without registration can be made regardless of deny/permit.
> {noformat}
> --Call attempt after changing credentials.
> [Jul 27 00:15:05] DEBUG[28564]: chan_iax2.c:2577 sched_delay_remove: schedule decrement of callno used for 9.8.7.6 in 60 seconds
> [Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
> [Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE ipaddr = '9.8.7.6' AND port = '4569'
> [Jul 27 00:15:05] DEBUG[28565]: chan_iax2.c:2240 peercnt_add: ip callno count incremented to 29 for 9.8.7.6
> [Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
> [Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE name = 'test1234567' AND host = 'dynamic'
> [Jul 27 00:15:05] WARNING[28565]: utils.c:1538 __ast_string_field_init: trying to reset empty pool
> [Jul 27 00:15:05] DEBUG[28565]: acl.c:347 ast_append_ha: 0.0.0.0/0.0.0.0 sense 0 appended to acl for peer
> [Jul 27 00:15:05] DEBUG[28565]: acl.c:347 ast_append_ha: 1.2.3.4/255.255.255.255 sense 1 appended to acl for peer
> [Jul 27 00:15:07] DEBUG[28562]: chan_iax2.c:2270 peercnt_remove: ip callno count decremented to 28 for 9.8.7.6
> [Jul 27 00:15:07] DEBUG[28563]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
> [Jul 27 00:15:07] DEBUG[28563]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE ipaddr = '9.8.7.6' AND port = '4569'
> [Jul 27 00:15:07] DEBUG[28563]: chan_iax2.c:2240 peercnt_add: ip callno count incremented to 29 for 9.8.7.6
> [Jul 27 00:15:07] NOTICE[28563]: chan_iax2.c:7711 register_verify: Host 9.8.7.6 denied access to register peer 'test1234567'
> -- Accepting AUTHENTICATED call from 9.8.7.6:
> > requested format = gsm,
> > requested prefs = (),
> > actual format = ulaw,
> > host prefs = (ulaw|alaw|gsm|ilbc|g729),
> > priority = mine
> ^^^ NOT OK User at 9.8.7.6 able to make a call using test1234567 credentials and thus bypass the permit of only the 1.2.3.4 IP. CDRs indicate call is form test1234567 from an IP that should have been denied.
> {noformat}
> I have changed just about everything in iax.conf regarding RT cahcing, expiring, etc and I still see the same behavior.
> Note from mjordan:
> I was able to confirm this as well using Zoiper as the test1a peer and a second Asterisk instance as the ACL restricted peer. Even when the test1a peer was not registered, it was able to use the credentials of the second IAX peer and make a call. The REGREQ was still properly denied, but the NEW bypassed the ACL.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list