<p>Richard Mudgett has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/9160">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.<br><br>When endpoint specific ACL rules block a SIP request they respond with a<br>403 forbidden.  However, if an endpoint is not identified then a 401<br>unauthorized response is sent.  This vulnerability just discloses which<br>requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain<br>access to the disclosed endpoints.<br><br>* Made endpoint specific ACL rules now respond with a 401 unauthorized<br>which is the same as if an endpoint were not identified.  The fix is<br>accomplished by replacing the found endpoint with the artificial endpoint<br>which always fails authentication.<br><br>ASTERISK-27818<br><br>Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32<br>---<br>M res/res_pjsip/pjsip_distributor.c<br>1 file changed, 30 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/60/9160/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c<br>index e056b60..19266df 100644<br>--- a/res/res_pjsip/pjsip_distributor.c<br>+++ b/res/res_pjsip/pjsip_distributor.c<br>@@ -666,6 +666,26 @@<br>         ao2_unlock(unid);<br> }<br> <br>+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+<br>+static void apply_acls(pjsip_rx_data *rdata)<br>+{<br>+   struct ast_sip_endpoint *endpoint;<br>+<br>+        /* Is the endpoint allowed with the source or contact address? */<br>+    endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];<br>+   if (endpoint != artificial_endpoint<br>+          && (apply_endpoint_acl(rdata, endpoint)<br>+                      || apply_endpoint_contact_acl(rdata, endpoint))) {<br>+           ast_debug(1, "Endpoint '%s' not allowed by ACL\n",<br>+                 ast_sorcery_object_get_id(endpoint));<br>+<br>+             /* Replace the rdata endpoint with the artificial endpoint. */<br>+               ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);<br>+    }<br>+}<br>+<br> static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)<br> {<br>         struct ast_sip_endpoint *endpoint;<br>@@ -684,6 +704,7 @@<br>                       ao2_unlink(unidentified_requests, unid);<br>                      ao2_ref(unid, -1);<br>            }<br>+            apply_acls(rdata);<br>            return PJ_FALSE;<br>      }<br> <br>@@ -743,6 +764,8 @@<br>                     ast_sip_report_invalid_endpoint(name, rdata);<br>                 }<br>     }<br>+<br>+ apply_acls(rdata);<br>    return PJ_FALSE;<br> }<br> <br>@@ -826,16 +849,11 @@<br> <br>     ast_assert(endpoint != NULL);<br> <br>-     if (endpoint!=artificial_endpoint) {<br>-         if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {<br>-                    if (!is_ack) {<br>-                               pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);<br>-                   }<br>-                    return PJ_TRUE;<br>-              }<br>+    if (is_ack) {<br>+                return PJ_FALSE;<br>      }<br> <br>- if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {<br>+   if (ast_sip_requires_authentication(endpoint, rdata)) {<br>               pjsip_tx_data *tdata;<br>                 struct unidentified_request *unid;<br> <br>@@ -871,6 +889,10 @@<br>                   return PJ_TRUE;<br>               }<br>             pjsip_tx_data_dec_ref(tdata);<br>+        } else if (endpoint == artificial_endpoint) {<br>+                /* Uh. Oh.  The artificial endpoint couldn't challenge so block the request. */<br>+          pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);<br>+           return PJ_TRUE;<br>       }<br> <br>  return PJ_FALSE;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9160">change 9160</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9160"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: certified/13.18 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 </div>
<div style="display:none"> Gerrit-Change-Number: 9160 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Richard Mudgett <rmudgett@digium.com> </div>