Asterisk versions 1.4.x and 1.6.x suffer from a SIP response user enumeration vulnerability.
4973731897121ff19b4e5e74ece388fc7aed0dec962bb1d65c5b2cbcb447f513
Asterisk, sip response permit username identification
Author: francesco.tornieri \"At\" verona-wireless.net
Summary: Sip responses permit user identification
Release Date: 16/04/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.4.x (tested 1.4.40)
Asterisk 1.6.x (tested 1.6.2.17.2)
Asterisk 1.8.x isn't affected (tested 1.8.3.2)
Description:
It's possible to enumerate valide sip username through use INVITE request method instead of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html)
Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=192.168.1.1
realm=asterisk
allowguest=no
alwaysauthreject=yes <----
[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729
[100](template)
callerid=phone100<100>
username=100
secret=password
[500](template)
callerid=phone200<500>
username=500
secret=password
----------------
Method: REGISTER
----------------
Valid and Invalid user:
Response: Timed out
----------------
Method: INVITE
----------------
Invalid user:
Response: 'SIP/2.0 407 Proxy Authentication Required\r\nVia: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-2943238028;received=192.168.1.250;rport=63772\r\nFrom: "101"<sip:101@192.168.1.1>; tag=3130310132353237333535383832\r\nTo: "101"<sip:101@192.168.1.1>;tag=as7e9ffcb3\r\nCall-ID: 777784064\r\nCSeq: 1 INVITE\r\nUser-Agent: Asterisk PBX\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO\r\nSupported: replaces\r\nProxy-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="256bdf28"\r\nContent-Length: 0\r\n\r\n'
WARNING:root:found nothing
Valid user:
Mehod; INVITE
Response: nothing
Francesco Tornieri