[asterisk-users] Hacked
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Wed Apr 8 08:31:44 CDT 2009
On Tuesday 07 April 2009 11:28:52 Tilghman Lesher wrote:
> The recent vulnerability had nothing to do with this, but with the ability
> of an attacker to scan a SIP server for legitimate usernames and passwords.
> This, by the way, merely took advantage of the SIP protocol, as written.
> Normally, SIP allows you to differentiate between invalid usernames (404)
> and invalid passwords (403). What we closed in the recent vulnerability
> patch was to allow administrators to send back 403, regardless of whether
> the username existed or not.
By the way, I am VASTLY oversimplifying the return codes here for the sake of
clarity. The actual return code is based upon a number of factors, but it is
modeled to return the same responses as would a bad password with a legitimate
user account (thus making it impossible, externally, to tell the difference
between a legitimate user account and a non-existent user account).
--
Tilghman
More information about the asterisk-users
mailing list