[asterisk-users] Hacked

Martin asterisklist at callthem.info
Tue Apr 7 19:27:28 CDT 2009 

I thought so. Unless someone can write a buffer overrun code to email
them the sip.conf or other config files
then you should be fine if you don't provision unsecured contexts to
dial out to PSTN ...

there was a buffer overrun in chan_sip but it was a couple years ago

Martin

On Tue, Apr 7, 2009 at 11:28 AM, Tilghman Lesher
<tilghman at mail.jeffandtilghman.com> wrote:
> On Monday 06 April 2009 19:22:30 Martin wrote:
>> Can you give more information about this vulnerability ?
>
> It's unlikely that it's this vulnerability.  Every Asterisk box allows guest
> access to the machine, by default.  The context it goes to is generally
> the "default" context.  This is what allows you to publish an addresses
> like sip:foo.example.com and have it get through to your company.  There's
> no preexisting relationship between caller and callee; it's merely a method
> of contacting the machine.
>
> What is a vulnerability is the way that some people have configured this.
> They put in that context patterns that can dial out.  There's nothing
> specifically wrong with this configuration, from an Asterisk perspective;
> however, in many cases, guest access is not what the administrator intended;
> thus, the machine may be used to make illicit outbound telephone calls by
> anybody who sends a SIP call to that machine.
>
> The recent vulnerability had nothing to do with this, but with the ability of
> an attacker to scan a SIP server for legitimate usernames and passwords.
> This, by the way, merely took advantage of the SIP protocol, as written.
> Normally, SIP allows you to differentiate between invalid usernames (404) and
> invalid passwords (403).  What we closed in the recent vulnerability patch was
> to allow administrators to send back 403, regardless of whether the username
> existed or not.
>
> --
> Tilghman
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list