<p>Richard Mudgett has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/9160">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.<br><br>When endpoint specific ACL rules block a SIP request they respond with a<br>403 forbidden. However, if an endpoint is not identified then a 401<br>unauthorized response is sent. This vulnerability just discloses which<br>requests hit a defined endpoint. The ACL rules cannot be bypassed to gain<br>access to the disclosed endpoints.<br><br>* Made endpoint specific ACL rules now respond with a 401 unauthorized<br>which is the same as if an endpoint were not identified. The fix is<br>accomplished by replacing the found endpoint with the artificial endpoint<br>which always fails authentication.<br><br>ASTERISK-27818<br><br>Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32<br>---<br>M res/res_pjsip/pjsip_distributor.c<br>1 file changed, 30 insertions(+), 8 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/60/9160/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c<br>index e056b60..19266df 100644<br>--- a/res/res_pjsip/pjsip_distributor.c<br>+++ b/res/res_pjsip/pjsip_distributor.c<br>@@ -666,6 +666,26 @@<br> ao2_unlock(unid);<br> }<br> <br>+static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);<br>+<br>+static void apply_acls(pjsip_rx_data *rdata)<br>+{<br>+ struct ast_sip_endpoint *endpoint;<br>+<br>+ /* Is the endpoint allowed with the source or contact address? */<br>+ endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];<br>+ if (endpoint != artificial_endpoint<br>+ && (apply_endpoint_acl(rdata, endpoint)<br>+ || apply_endpoint_contact_acl(rdata, endpoint))) {<br>+ ast_debug(1, "Endpoint '%s' not allowed by ACL\n",<br>+ ast_sorcery_object_get_id(endpoint));<br>+<br>+ /* Replace the rdata endpoint with the artificial endpoint. */<br>+ ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);<br>+ }<br>+}<br>+<br> static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)<br> {<br> struct ast_sip_endpoint *endpoint;<br>@@ -684,6 +704,7 @@<br> ao2_unlink(unidentified_requests, unid);<br> ao2_ref(unid, -1);<br> }<br>+ apply_acls(rdata);<br> return PJ_FALSE;<br> }<br> <br>@@ -743,6 +764,8 @@<br> ast_sip_report_invalid_endpoint(name, rdata);<br> }<br> }<br>+<br>+ apply_acls(rdata);<br> return PJ_FALSE;<br> }<br> <br>@@ -826,16 +849,11 @@<br> <br> ast_assert(endpoint != NULL);<br> <br>- if (endpoint!=artificial_endpoint) {<br>- if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {<br>- if (!is_ack) {<br>- pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);<br>- }<br>- return PJ_TRUE;<br>- }<br>+ if (is_ack) {<br>+ return PJ_FALSE;<br> }<br> <br>- if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {<br>+ if (ast_sip_requires_authentication(endpoint, rdata)) {<br> pjsip_tx_data *tdata;<br> struct unidentified_request *unid;<br> <br>@@ -871,6 +889,10 @@<br> return PJ_TRUE;<br> }<br> pjsip_tx_data_dec_ref(tdata);<br>+ } else if (endpoint == artificial_endpoint) {<br>+ /* Uh. Oh. The artificial endpoint couldn't challenge so block the request. */<br>+ pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);<br>+ return PJ_TRUE;<br> }<br> <br> return PJ_FALSE;<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/9160">change 9160</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/9160"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: certified/13.18 </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 </div>
<div style="display:none"> Gerrit-Change-Number: 9160 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Richard Mudgett <rmudgett@digium.com> </div>