[asterisk-bugs] [JIRA] (ASTERISK-28589) chan_sip: Depending on configuration an INVITE can alter Addr of a peer

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Dec 12 05:52:34 CST 2019 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28589?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-28589:
-------------------------------------

    Target Release Version/s: 17.1.0

> chan_sip: Depending on configuration an INVITE can alter Addr of a peer
> -----------------------------------------------------------------------
>
>                 Key: ASTERISK-28589
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28589
>             Project: Asterisk
>          Issue Type: Security
>          Components: Channels/chan_sip/General
>    Affects Versions: 13.29.1, 16.6.1
>            Reporter: Andrey  V. T.
>            Severity: Blocker
>              Labels: security
>      Target Release: 13.29.2, 13.30.0, 16.6.2, 16.7.0, 17.0.1, 17.1.0
>
>         Attachments: AST-2019-006.pdf, sip.conf, sip_invite
>
>
> Hi.
> Issue summary:
> Remote attacker can overwrite legitimate sip peer ip address/port (Addr->IP) by send unauthorized INVITE request.
> Can be used to made peer unreachable or possible take control of incoming calls to affected peer.
> Only knowledge of peer name required.
> Issue checked against git master version of asterisk (GIT-master-5ca9efd).
> All other versions of asterisk, accessible by me (13.x), also affected.
> Any configuration options, known to me, has no effect on issue.
> Steps taken to reproduce:
> in my test case asterisk listen udp on 172.16.2.77:5062.
> Test peers registered form same host (172.16.2.77).
> Crafted INVITE sent from 192.168.2.1.
> *) Compile asterisk with:.
> /configure --with-jansson-bundled --prefix=/opt/asterisk/
> make
> make install
> *) Install example configs: make samples
> *) Allow load of chan_sip in modules.conf
> noload => chan_sip.so  => ;noload => chan_sip.so
> *)  Replace example configuration files by attached configuration files. 
> 2 sip peer defined in sip.conf (101 & 102)
> 1 context defined in extensions.conf
> *) Send crafted udp packet to asterisk. File with crafted request  attached (sip_invite).
> netcat -u 172.16.2.77 5062 < sip  
>  *) Made call to affected test peer from second test peer.
> Resulted communication dump attached (pcap).
> In result:
> Invite to affected peer 101 placed by asterisk to attacker controlled endpoint (192.168.2.1:x)
> Sorry for my English. Not my native language.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list