[Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Andres andres at telesip.net
Sun Mar 13 23:06:08 MST 2005 


Peter Bowyer wrote:

>On Mon, 14 Mar 2005 00:27:12 -0500, Andres <andres at telesip.net> wrote:
>  
>
>>Deti Fliegl wrote:
>>
>>    
>>
>>>Hi there,
>>>
>>>all that started by investigating what happens if SIP clients are
>>>calling anonymously.
>>>The problem: Every client who is registered as a regular user with
>>>username and secret can fake any callerid in subsequent INVITEs.
>>>Asterisk does not apply an accountcode or callerid from sip.conf.
>>>Those calls end up unbilled and untraceable.
>>>      
>>>
>>I just tested this.  You are totally right.
>>
>>Simple way to reproduce this with a Sipura:
>>1.  Have the unit register with your Asterisk provider.
>>2.  Then under the advanced settings change Register to "No" and Make
>>Calls Without Register to "Yes"
>>3.  Change your username.
>>4.  Make a call and see how it does not show up under your cdrs!
>>
>>I would consider this a major problem.  Anyone depending on this might
>>want to open up a bug report.
>>
>>    
>>
>
>They might also want to read higher up in this thread, where advice
>was given as to how to configure round this behaviour. Land
>unauthenticated SIP calls in a context with limited or no access.
>Asterisk allows you to do exactly what you want.
>  
>
You might want to try the steps provided above yourself Peter.  Because 
even if we have a context that leads to never never land at the top of 
sip.conf, I am still able to make free calls.  A "sip debug" clearly 
shows how Asterisk matches the call to the existing sip.conf entry yet 
the modified username/password has nothing to do with any sip.conf entries.
---------------
[general]
port = 5060 ; Port to bind to
bindaddr = 0.0.0.0 ; Address to bind to
context = nocalls ; Default for incoming calls of not registered phones
---------------

The trick is to make the call while Asterisk **still** thinks your 
IP/port is from a valid register user.  (and make sure your phone does 
not try to register again after you make the username change)

>Many people use this behavour to accept unsolicited SIP calls and
>direct them to an IVR or a specified extension, for example. But you
>probably wouldn't allow them to make toll calls.
>
>Peter
>
>  
>

-- 
Andres
Network Admin
http://www.telesip.net

More information about the asterisk-users mailing list