[asterisk-users] AST-2011-013: Possible remote enumeration of SIP endpoints with differing NAT settings

Barry Miller asterisk-users at notanet.net
Fri Dec 9 10:36:51 CST 2011


On Thu, Dec 08, 2011 at 04:47:37PM -0600, Asterisk Security Team wrote:
> [...]
>     Description  It is possible to enumerate SIP usernames when the general   
>                  and user/peer NAT settings differ in whether to respond to   
>                  the port a request is sent from or the port listed for       
>                  responses in the Via header. In 1.4 and 1.6.2, this would    
>                  mean if one setting was nat=yes or nat=route and the other   
>                  was either nat=no or nat=never. In 1.8 and 10, this would    
>                  mean when one was nat=force_rport or nat=yes and the other   
>                  was nat=no or nat=comedia.                                   

I see that early this year, VOIPPACK (from the folks who brought us
SIPVicious) announced  "Additionally we improved vp_sipenumerate to be
able to scan Asterisk servers regardless of the alwaysauthreject option".

I'm guessing this is how they do it.  VOIPPACK isn't free, so it's not as
widely used as SIPVicious, but it seems to show that there's at least one
exploit already out there.

-- 
Barry



More information about the asterisk-users mailing list