[Asterisk-Users] Asterisk security problem: authorized SIP users
can fake any callerid!
Deti Fliegl
deti at fliegl.de
Fri Mar 11 16:19:23 MST 2005
C F wrote:
> Welcome to SIP, this is how SIP works, thats why ppl use IAX.
Welcome to SIP for dummies: You have to distinguish between SIP callerid
and authentication. First a callerid is used to call another party or
to identify yourself to another party. Such a callerid is sent via a
'From:'-line in the SIP header. Second authentication is done by
username & password which can differ from your callerid (which is not
supported by asterisk). Whenever you register with your SIP proxy or you
invite (call) a remote party so called 'Proxy-Authorization' is used to
verify your user account. This means you are never anonymous to the SIP
proxy - even if you send an anonymous callerid to the remote party.
Now here we go on exploiting asterisk's inability to verify an incoming
SIP message from an UA: Once you are registered with asterisk you're
credentials have been authenticated and your IP address is kept in a
list of registered clients. Now you can invite other parties (this makes
you a user in sip.conf terminology) and you can get called (this in turn
makes you a peer in sip.conf terminlogy).
The problem is now: If you call with an invalid callerid and valid
authentication credentials you cannot be verified as an user so asterisk
continues to search for a matching peer (see function check_user_full in
chan_sip.c). A suitable peer can be found as soon as your IP address is
known to asterisk. What now happens is that asterisk allows you to
invite (call) another party as authenticated user even if you are just
verified as a peer (which should only receive calls).
My conclusion: check_user_full sould be fixed to make sure a valid user
can be found if SIP methods like invite are processed.
Clues, comments, ideas?
Deti
More information about the asterisk-users
mailing list