[asterisk-users] Hacked
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Tue Apr 7 11:28:52 CDT 2009
On Monday 06 April 2009 19:22:30 Martin wrote:
> Can you give more information about this vulnerability ?
It's unlikely that it's this vulnerability. Every Asterisk box allows guest
access to the machine, by default. The context it goes to is generally
the "default" context. This is what allows you to publish an addresses
like sip:foo.example.com and have it get through to your company. There's
no preexisting relationship between caller and callee; it's merely a method
of contacting the machine.
What is a vulnerability is the way that some people have configured this.
They put in that context patterns that can dial out. There's nothing
specifically wrong with this configuration, from an Asterisk perspective;
however, in many cases, guest access is not what the administrator intended;
thus, the machine may be used to make illicit outbound telephone calls by
anybody who sends a SIP call to that machine.
The recent vulnerability had nothing to do with this, but with the ability of
an attacker to scan a SIP server for legitimate usernames and passwords.
This, by the way, merely took advantage of the SIP protocol, as written.
Normally, SIP allows you to differentiate between invalid usernames (404) and
invalid passwords (403). What we closed in the recent vulnerability patch was
to allow administrators to send back 403, regardless of whether the username
existed or not.
--
Tilghman
More information about the asterisk-users
mailing list