[Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Peter Bowyer peeebeee at gmail.com
Sun Mar 13 22:48:43 MST 2005


On Mon, 14 Mar 2005 00:27:12 -0500, Andres <andres at telesip.net> wrote:
> 
> 
> Deti Fliegl wrote:
> 
> > Hi there,
> >
> > all that started by investigating what happens if SIP clients are
> > calling anonymously.
> > The problem: Every client who is registered as a regular user with
> > username and secret can fake any callerid in subsequent INVITEs.
> > Asterisk does not apply an accountcode or callerid from sip.conf.
> > Those calls end up unbilled and untraceable.
> 
> I just tested this.  You are totally right.
> 
> Simple way to reproduce this with a Sipura:
> 1.  Have the unit register with your Asterisk provider.
> 2.  Then under the advanced settings change Register to "No" and Make
> Calls Without Register to "Yes"
> 3.  Change your username.
> 4.  Make a call and see how it does not show up under your cdrs!
> 
> I would consider this a major problem.  Anyone depending on this might
> want to open up a bug report.
> 

They might also want to read higher up in this thread, where advice
was given as to how to configure round this behaviour. Land
unauthenticated SIP calls in a context with limited or no access.
Asterisk allows you to do exactly what you want.

Many people use this behavour to accept unsolicited SIP calls and
direct them to an IVR or a specified extension, for example. But you
probably wouldn't allow them to make toll calls.

Peter

-- 
Peter Bowyer
Email: peter at bowyer.org
Tel: +44 1296 768003
VoIP: sip:peter at bowyer.org



More information about the asterisk-users mailing list