[asterisk-bugs] [JIRA] (ASTERISK-21013) Security Vulnerability: sip username disclosure
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Thu Mar 28 11:36:11 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan updated ASTERISK-21013:
-----------------------------------
Target Release Version/s: 1.8.22.0
> Security Vulnerability: sip username disclosure
> -----------------------------------------------
>
> Key: ASTERISK-21013
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21013
> Project: Asterisk
> Issue Type: Bug
> Components: Channels/chan_sip/General
> Affects Versions: 11.2.1
> Reporter: Walter Doekes
> Assignee: Kinsey Moore
> Target Release: 1.8.20.2, 1.8.22.0, 10.12.2, 10.12.2-digiumphones, 11.2.2
>
> Attachments: AST-2013-003-10.diff, AST-2013-003-11.diff, AST-2013-003-1.8.diff, ASTERISK-21013.diff, ASTERISK-21013.diff, ASTERISK-21013.diff, invite-username-disclosure-1.xml, invite-username-disclosure-1.xml, invite-username-disclosure-2.xml, invite-username-disclosure-2.xml, invite-username-disclosure-3.xml, invite-username-disclosure-3.xml, issueA21013_better_but_not_there_yet.patch, issueA21013_bogopeer_still_needs_alwaysauthreject_cleanup.patch, issueA21013_more_cleanup_more_fixes.patch, issueA21013_with_null_check.patch, register-username-disclosure-2.xml, register-username-disclosure.xml, register-username-disclosure.xml
>
>
> So.. I was trying if I could alter the SIP security framework messages to differentiate between auth failures for any UDP packet and those with a valid nonce. Those with a valid nonce would probably not have a spoofed IP, so I can use fail2ban on them with more peace of mind.
> But, then I saw the different handling of the alwaysauthreject-challenge and the "normal" challenge code. These differences can be observed by an attacker sniffing for valid usernames.
> {noformat}
> VICTIM$ sudo asterisk -nrx 'sip show peers' | head -n4
> Name/username...
> 100...
> 101...
> 102...
> VICTIM$ sudo asterisk -nrx 'core show version'
> Asterisk SVN-branch-11-r380384M
> {noformat}
> {noformat}
> ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 000 -ap badpass >/dev/null
> 000 is NOT a valid username
> ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 001 -ap badpass >/dev/null
> 001 is NOT a valid username
> ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 100 -ap badpass >/dev/null
> 100 is a valid username
> ATTACKER$ sipp -m 1 -sf register-username-disclosure.xml VICTIM -s 101 -ap badpass >/dev/null
> 101 is a valid username
> {noformat}
> I haven't done any work on fixing the issue. But it's likely that the right fix would be to follow the normal challenge code path as much as possible.
> Regards,
> Walter Doekes
> OSSO B.V.
> (my employer wouldn't mind if OSSO B.V. is mentioned in a security bulletin if that were to be produced)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list