[asterisk-dev] security breach via call-limit/groupcount

Tue Jul 8 08:25:43 CDT 2014

On Tue, Jul 8, 2014 at 7:47 AM, Marek Cervenka <cervajs at fpf.slu.cz> wrote:
> i made another round of research
> i want fill issue in jira but i want create sip scenario for easier
> replication
>
> is there some visual tool/service which can generate sip scenario for sipp?
> (something like https://www.websequencediagrams.com/)
>
> thanks
>
> Dne 24.2.2014 17:34, Marek Cervenka napsal(a):
>
>> hi,
>>
>> i have access to one box with asterisk 1.8 where attacker can go through
>> call-limit/groupcount
>>
>> sip scenario was
>> INVITE from: X TO: Y
>> INVITE (authorization) from: X TO: Y
>> INVITE (in-dialog) from: X TO: Y
>> REFER (in-dialog) refer-by: X refer-TO: Y
>>
>> in cdr i see (there is groupcount info)
>> src,dst,billsec,userfield, dialstatus
>> X,Y, T>5, groupcount=1:call-limit=2, ANSWERED
>> X,Y, T<5, groupcount=2:call-limit=2, ANSWERED
>> X,Y, T>5, groupcount=1:call-limit=2, ANSWERED
>> X,Y, T<5, groupcount=2:call-limit=2, ANSWERED
>> ...
>>
>> it seems like the sip scenario resetting the groupcount info and
>> call-limit is not working
>>
>> i'm trying asterisk-dev if some experienced developer can confirm that sip
>> scenario cannot "harm" Asterisk
>> do you think the upgrade to Asterisk 11 can help?
>>

This is a public mailing list. Please do *NOT* discuss potential
security issues on this mailing list. Doing so puts the entire
Asterisk community at risk.

The Asterisk wiki has instructions on how to report a potential
Security Vulnerability - please report your question there:

https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities

If you don't feel comfortable making a private issue in the issue
tracker to discuss this, one can be made for you.

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org