asterisk users - Mar 2005 - Asterisk security problem: authorized SIP users can fake any callerid!

Hi there,

all that started by investigating what happens if SIP clients are 
calling anonymously.
The problem: Every client who is registered as a regular user with 
username and secret can fake any callerid in subsequent INVITEs. 
Asterisk does not apply an accountcode or callerid from sip.conf. Those 
calls end up unbilled and untraceable.

Is there any way to fix this problem - did I misunderstand something, 
what am I doing wrong?

Deti

Deti Fliegl wrote:
> Hi there,
> 
> all that started by investigating what happens if SIP clients are 
> calling anonymously.
> The problem: Every client who is registered as a regular user with 
> username and secret can fake any callerid in subsequent INVITEs. 
> Asterisk does not apply an accountcode or callerid from sip.conf. Those 
> calls end up unbilled and untraceable.
> 
> Is there any way to fix this problem - did I misunderstand something, 
> what am I doing wrong?
callerid=Anonymous User <5556667777> in [general] in sip.conf.

A better way would be to set context=INVALID (or some other not valid 
context).  Then make sure each client has context=something in their 
[happysipclient] section.

Create a sip.conf entry:
[guest]
context=something
callerid=Anonymous User <5556667777>
disallow=all
allow=gsm

-- 
Always do right. This will gratify some people and astonish the rest.
Mark Twain

Welcome to SIP, this is how SIP works, thats why ppl use IAX.


On Fri, 11 Mar 2005 19:06:20 +0100, Deti Fliegl <deti@fliegl.de>
wrote:
> Hi there,
> 
> all that started by investigating what happens if SIP clients are
> calling anonymously.
> The problem: Every client who is registered as a regular user with
> username and secret can fake any callerid in subsequent INVITEs.
> Asterisk does not apply an accountcode or callerid from sip.conf. Those
> calls end up unbilled and untraceable.
> 
> Is there any way to fix this problem - did I misunderstand something,
> what am I doing wrong?
> 
> Deti
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

On Fri, Mar 11, 2005 at 01:13:25PM -0600,
asterisk-users-request@lists.digium.com wrote:
> all that started by investigating what happens if SIP clients are 
> calling anonymously.
> The problem: Every client who is registered as a regular user with 
> username and secret can fake any callerid in subsequent INVITEs. 
> Asterisk does not apply an accountcode or callerid from sip.conf. Those 
> calls end up unbilled and untraceable.
I have had this problem too, and was honestly expecting the regexten
to show up there instead of the number provided by the user (at
least with CALLERIDNUM)
> Is there any way to fix this problem - did I misunderstand something, 
> what am I doing wrong?
Besides setting it in the sip.conf (callerid="Foo Bar" <911>),
no.

Edwin
-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin@mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/

On Fri, 11 Mar 2005 14:41:37 -0500, C F <shmaltz@gmail.com>
wrote:
> Welcome to SIP, this is how SIP works, thats why ppl use IAX.
  It is a combination of chan_sip and the particular sip.conf actually.

  Sane SIP servers will challenge all INVITEs, and apply user
identification from the user database, not what the UA choose to
supply.  But if you configre Asterisk to accept anything from anyone,
well you should expect this.

Tom

Deti Fliegl wrote:
> Hi there,
>
> all that started by investigating what happens if SIP clients are 
> calling anonymously.
> The problem: Every client who is registered as a regular user with 
> username and secret can fake any callerid in subsequent INVITEs. 
> Asterisk does not apply an accountcode or callerid from sip.conf. 
> Those calls end up unbilled and untraceable.
I just tested this.  You are totally right. 

Simple way to reproduce this with a Sipura:
1.  Have the unit register with your Asterisk provider.
2.  Then under the advanced settings change Register to "No" and Make 
Calls Without Register to "Yes"
3.  Change your username.
4.  Make a call and see how it does not show up under your cdrs!

I would consider this a major problem.  Anyone depending on this might 
want to open up a bug report.
>
> Is there any way to fix this problem - did I misunderstand something, 
> what am I doing wrong?
>
-- 
Andres
Network Admin
http://www.telesip.net

On Tue, 15 Mar 2005 02:03:54 +1100 (EST), Duane <duane@e164.org>
wrote:
> 
> On Mon, March 14, 2005 17:06, Andres said:
> 
> > You might want to try the steps provided above yourself Peter. 
Because
> > even if we have a context that leads to never never land at the top of
> > sip.conf, I am still able to make free calls.  A "sip debug"
clearly
> 
> Welcome to the wonderful world of stateless UDP connections...
  No, the INVITE should be challenged, and forced to use MD5 digest. 
Nothing to do with UDP vs. TCP.  Not that Asterisk supports SIP over
TCP.

  I think sip.conf has gotten far to convuluted in order easily build
a sane SIP implementation.

  Not that SER is easy (requires understanding of the SIP RFC), but at
least you can configure MD5 digest auth on all invites easily, and it
is pretty clear in the config that you are doing things properly.  And
SER supports SIP over TCP.
> --
> Best regards,
>  Duane
Tom