[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip contextin general section ignored goes to default instead - allowingunauthorized sip devices to place calls in default context

Brian West brian at bkw.org
Fri Dec 3 18:02:59 MST 2004


It's known that YOU DO this:

sip.conf you do 
[general]
context=from-sip

extensions.conf:
[from-sip]
exten => s,1,Congestion

This is a config issue.  Not really a security issue.

bkw


> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
> bounces at lists.digium.com] On Behalf Of Andy Reinke
> Sent: Friday, December 03, 2004 6:48 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Cc: support at voiceeclipse.com; asterisk-dev at lists.digium.com
> Subject: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip
> contextin general section ignored goes to default instead -
> allowingunauthorized sip devices to place calls in default context
> 
> SIP SECURITY WARNING
> 
> 
> 
> Version: v1-0 (cvs today)
> 
> 
> 
> Problem:  sip context in general section ignored - goes to default -
> allowing unauthorized sip devices to place calls in default context
> 
> 
> 
> Fix [workaround]:
> 
> 
> 
> Remove or rename "default" context in extensions.conf
> 
> 
> 
> Notes:
> 
> 
> 
> I am not sure what other asterisk functionality may be affected by this -
> review your other config files for references to the "default" context.
> Test your configurations to ensure calls are landing in the correct
> context.  I suggest removing "default" and creating others like sip-
> default which include demo and then testing from a sip channel to make
> sure you still hit the demo from a registered device but, not from
> unregistered devices.  Repeat for other channels as necessary.
> 
> 
> 
> Detail:
> 
> 
> 
> I have been working with asterisk for a while now but, had never
> tested/noticed this scenario - I had always created device entries in
> sip.conf for any devices I tested so I never ran into this.  Today on a
> new config the phone came up before I had put anything in sip.conf and I
> thought - let's see what happens if we try to call someone - and it WORKED
> which was the least expected behavior.
> 
> 
> 
> I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter any
> sip phone will do this) With a bare asterisk build and setup of v1-0
> (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date
> and the configs (sip, extensions) below.
> 
> 
> 
> Without placing any peer,friend,user entries in sip.conf for the phone
> device/extension, I am able to make calls through the "default" context.
> In the below example dialing "500" from a sip phone will execute the inter
> asterisk connection test (IAX) to digium even though the context defined
> in the general section of sip.conf is "sip-unauthorized" which should play
> congestion and hang up (as was suggested in "Getting started with
> asterisk").
> 
> 
> 
> Removing or renaming the "default" context in extensions.conf appears to
> resolve this issue - congestion is played.  However, adding a real
> extension such as 900 and mapping it to something like voicemail shows
> that the context sip-unauthorized is not being used - also the following
> error is logged on the console (verbose = 7) which hints to this as well -
> and explains why congestion was played.  Instead of looking for sip-
> unauthorized as expected it looked for the missing default and then played
> congestion when default was not found.
> 
> 
> 
> Dec  3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper:  Cannot
> find extension context 'default'
> 
> 
> 
> 
> 
> 
> 
> Sip.conf
> 
> [general]
> 
> contex=sip-unauthorized
> 
> port=5060
> 
> bindaddr=0.0.0.0
> 
> localnet=172.16.0.0/255.255.255.0
> 
> 
> 
> <eof>
> 
> 
> 
> Extensions.conf
> 
> [general]
> 
> static=yes
> 
> writeprotect=no
> 
> 
> 
> [globals]
> 
> ;CONSOLE=Console/dsp                     ; Console interface for demo
> 
> IAXINFO=guest                            ; IAXtel username/password
> 
> ;TRUNK=Zap/g2                            ; Trunk interface
> 
> ;TRUNKMSD=1                              ; MSD digits to strip (usually 1
> or 0)
> 
> 
> 
> [macro-stdexten];
> 
> ;
> 
> ; Standard extension macro:
> 
> ;   ${ARG1} - Extension  (we could have used ${MACRO_EXTEN} here as well
> 
> ;   ${ARG2} - Device(s) to ring
> 
> ;
> 
> exten => s,1,Dial(${ARG2},20)                                 ; Ring the
> interface, 20 seconds maximum
> 
> exten => s,2,Goto(s-${DIALSTATUS},1)                          ; Jump based
> on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)
> 
> 
> 
> exten => s-NOANSWER,1,Voicemail(u${ARG1})              ; If unavailable,
> send to voicemail w/ unavail announce
> 
> exten => s-NOANSWER,2,Goto(default,s,1)                ; If they press #,
> return to start
> 
> 
> 
> exten => s-BUSY,1,Voicemail(b${ARG1})                  ; If busy, send to
> voicemail w/ busy announce
> 
> exten => s-BUSY,2,Goto(default,s,1)                           ; If they
> press #, return to start
> 
> 
> 
> exten => _s-.,1,Goto(s-NOANSWER,1)                     ; Treat anything
> else as no answer
> 
> 
> 
> exten => a,1,VoicemailMain(${ARG1})                           ; If they
> press *, send the user into VoicemailMain
> 
> 
> 
> [default]
> 
> exten => 500,1,Playback(demo-abouttotry); Let them know what's going on
> 
> exten => 500,2,Dial(IAX2/guest at misery.digium.com/s at default)   ; Call the
> Asterisk demo
> 
> exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site
> 
> exten => 500,4,Goto(s,6)          ; Return to the start over message.
> 
> 
> 
> [sip-unauthorized]
> 
> ;An important point here, if you do not have a sip aware
> 
> ;firewall and are just using port forwarding then ensure
> 
> ;that your context points to somewhere like invalidcalls.
> 
> ;If you do not do this then someone could call one of your
> 
> ;extensions direct from the Internet. If you had an FXO card
> 
> ;in the machine, this could lead to them being able to make PSTN calls!!
> 
> ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767]
> 
> 
> 
> exten => s,1,Answer
> 
> exten => s,2,Playtones(congestion)
> 
> exten => s,3,Congestion
> 
> 
> 
> exten => 900,1,VoicemailMain
> 
> exten => 900,2,Hangup
> 
> 
> 
> <eof>
> 
> 





More information about the asterisk-users mailing list