[Asterisk-Dev] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context

Andy Reinke Andy at an-ds.com
Fri Dec 3 17:47:58 MST 2004 

SIP SECURITY WARNING

 

Version: v1-0 (cvs today)

 

Problem:  sip context in general section ignored - goes to default -
allowing unauthorized sip devices to place calls in default context

 

Fix [workaround]:

 

Remove or rename "default" context in extensions.conf 

 

Notes:

 

I am not sure what other asterisk functionality may be affected by this
- review your other config files for references to the "default"
context.  Test your configurations to ensure calls are landing in the
correct context.  I suggest removing "default" and creating others like
sip-default which include demo and then testing from a sip channel to
make sure you still hit the demo from a registered device but, not from
unregistered devices.  Repeat for other channels as necessary.

 

Detail:

 

I have been working with asterisk for a while now but, had never
tested/noticed this scenario - I had always created device entries in
sip.conf for any devices I tested so I never ran into this.  Today on a
new config the phone came up before I had put anything in sip.conf and I
thought - let's see what happens if we try to call someone - and it
WORKED which was the least expected behavior.

 

I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter
any sip phone will do this) With a bare asterisk build and setup of v1-0
(pulled from cvs today) on FC3 minimal + asterisk requirements + up2date
and the configs (sip, extensions) below.

 

Without placing any peer,friend,user entries in sip.conf for the phone
device/extension, I am able to make calls through the "default" context.
In the below example dialing "500" from a sip phone will execute the
inter asterisk connection test (IAX) to digium even though the context
defined in the general section of sip.conf is "sip-unauthorized" which
should play congestion and hang up (as was suggested in "Getting started
with asterisk").

 

Removing or renaming the "default" context in extensions.conf appears to
resolve this issue - congestion is played.  However, adding a real
extension such as 900 and mapping it to something like voicemail shows
that the context sip-unauthorized is not being used - also the following
error is logged on the console (verbose = 7) which hints to this as well
- and explains why congestion was played.  Instead of looking for
sip-unauthorized as expected it looked for the missing default and then
played congestion when default was not found.

 

Dec  3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper:  Cannot
find extension context 'default'

 

 

 

Sip.conf

[general]

contex=sip-unauthorized

port=5060

bindaddr=0.0.0.0

localnet=172.16.0.0/255.255.255.0

 

<eof>

 

Extensions.conf

[general]

static=yes

writeprotect=no

 

[globals]

;CONSOLE=Console/dsp                     ; Console interface for demo

IAXINFO=guest                            ; IAXtel username/password

;TRUNK=Zap/g2                            ; Trunk interface

;TRUNKMSD=1                              ; MSD digits to strip (usually
1 or 0)

 

[macro-stdexten];

;

; Standard extension macro:

;   ${ARG1} - Extension  (we could have used ${MACRO_EXTEN} here as well

;   ${ARG2} - Device(s) to ring

;

exten => s,1,Dial(${ARG2},20)                                 ; Ring the
interface, 20 seconds maximum

exten => s,2,Goto(s-${DIALSTATUS},1)                          ; Jump
based on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)

 

exten => s-NOANSWER,1,Voicemail(u${ARG1})              ; If unavailable,
send to voicemail w/ unavail announce

exten => s-NOANSWER,2,Goto(default,s,1)                ; If they press
#, return to start

 

exten => s-BUSY,1,Voicemail(b${ARG1})                  ; If busy, send
to voicemail w/ busy announce

exten => s-BUSY,2,Goto(default,s,1)                           ; If they
press #, return to start

 

exten => _s-.,1,Goto(s-NOANSWER,1)                     ; Treat anything
else as no answer

 

exten => a,1,VoicemailMain(${ARG1})                           ; If they
press *, send the user into VoicemailMain

 

[default]

exten => 500,1,Playback(demo-abouttotry); Let them know what's going on

exten => 500,2,Dial(IAX2/guest at misery.digium.com/s at default)   ; Call the
Asterisk demo

exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site

exten => 500,4,Goto(s,6)          ; Return to the start over message.

 

[sip-unauthorized]

;An important point here, if you do not have a sip aware 

;firewall and are just using port forwarding then ensure 

;that your context points to somewhere like invalidcalls. 

;If you do not do this then someone could call one of your 

;extensions direct from the Internet. If you had an FXO card 

;in the machine, this could lead to them being able to make PSTN calls!!

;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767]

 

exten => s,1,Answer

exten => s,2,Playtones(congestion)

exten => s,3,Congestion

 

exten => 900,1,VoicemailMain

exten => 900,2,Hangup

 

<eof>

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20041203/831f7afd/attachment.htm

More information about the asterisk-dev mailing list