asterisk users - Apr 2004 - Security Issue in Asterisk with sip.conf configuration.

I had tried many ways with some advanced user help, but without
success(at one point I thought I had it worked).

Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
file, there are a lot of entries with just "host=a.b.c.d", thinking
that * will only accept calls from host "a.b.c.d", but in my test, no
mater how you set up the sip.conf entries, either * will NOT accept
calls for that user account at all, or it will accept calls from any
where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
so long the sip userid is the username in sip.conf. This post a very
serious security problem.

Of course we can put "secret=" for each entries, but giving Asterisk
GW
and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
otherwise it increase the SIP traffic quite a bit.

Following are the 4 different entries that I had tried:
#Notice that in the "general" section, context is pointed to a none
existant context "INVALID".

;
; SIP Configuration for Asterisk
;
[general]
port = 5060                     ; Port to bind to
bindaddr = 212.213.66.68
context = INVALID               ;
;srvlookup = yes                ; Enable SRV lookups on outbound calls
;pedantic = yes                 ; Enable slow, pedantic checking for
Pingtel
;tos=lowdelay
;tos=184
;maxexpirey=3600                ; Max length of incoming registration
we allow
;defaultexpirey=120             ; Default length of incoming/outoing
registration
;notifymimetype=text/plain      ; Allow overriding of mime type in
NOTIFY
;videosupport=yes               ; Turn on support for SIP video
disallow=all                    ; Disallow all codecs
allow=ulaw                      ; Allow codecs in order of preference
allow=g729
allow=ilbc
;
;dtmfmode=info
;dtmfmode=inband
dtmfmode=rfc2833



[20034]
type=friend
callerid=TEST <61331045>
host=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20035]
type=peers
callerid=TEST <61331045>
host=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20036]
type=friend
context=default
callerid=TEST <61331045>
host=212.213.65.66
permit=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20037]
type=peers
context=default
callerid=TEST <61331045>
permit=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

Thank you in advance.

William Zhang wrote:
> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
> 
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d",
thinking
> that * will only accept calls from host "a.b.c.d", but in my
test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or
not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
> 
> Of course we can put "secret=" for each entries, but giving
Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
Um, how is it that you consider this a security flaw?  By omitting 
secret=, you are telling Asterisk to not authenticate the call.

John

I think the problem is that using permit= alone does nothing.
You need to combine it with a deny=  as in:

deny=0.0.0.0/0.0.0.0          ; deny all
permit=123.123.123.123  ; allow only this address - netmask defaults to:
/255.255.255.255

order matters, the deny needs to come first.

for reference here is the code from acl.c that checks the rules:

int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
{
    /* Start optimistic */
    int res = AST_SENSE_ALLOW;
    while(ha) {
        /* For each rule, if this address and the netmask = the net address
           apply the current rule */
        if ((sin->sin_addr.s_addr & ha->netmask.s_addr) ==
(ha->netaddr.s_addr)
            res = ha->sense;
        ha = ha->next;
    }
    return res;
}


Jim

James H. Thompson
jht@lava.net

----- Original Message ----- 
From: "William Zhang" <w_w_zhang@yahoo.com>
To: <asterisk-users@lists.digium.com>
Sent: Tuesday, April 27, 2004 2:43 PM
Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf
configuration.

> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
> 
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d",
thinking
> that * will only accept calls from host "a.b.c.d", but in my
test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or
not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
> 
> Of course we can put "secret=" for each entries, but giving
Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
> 
> Following are the 4 different entries that I had tried:
> #Notice that in the "general" section, context is pointed to a
none
> existant context "INVALID".
> 
> ;
> ; SIP Configuration for Asterisk
> ;
> [general]
> port = 5060                     ; Port to bind to
> bindaddr = 212.213.66.68
> context = INVALID               ;
> ;srvlookup = yes                ; Enable SRV lookups on outbound calls
> ;pedantic = yes                 ; Enable slow, pedantic checking for
> Pingtel
> ;tos=lowdelay
> ;tos=184
> ;maxexpirey=3600                ; Max length of incoming registration
> we allow
> ;defaultexpirey=120             ; Default length of incoming/outoing
> registration
> ;notifymimetype=text/plain      ; Allow overriding of mime type in
> NOTIFY
> ;videosupport=yes               ; Turn on support for SIP video
> disallow=all                    ; Disallow all codecs
> allow=ulaw                      ; Allow codecs in order of preference
> allow=g729
> allow=ilbc
> ;
> ;dtmfmode=info
> ;dtmfmode=inband
> dtmfmode=rfc2833
> 
> 
> 
> [20034]
> type=friend
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20035]
> type=peers
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20036]
> type=friend
> context=default
> callerid=TEST <61331045>
> host=212.213.65.66
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20037]
> type=peers
> context=default
> callerid=TEST <61331045>
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> Thank you in advance.
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
>

uhm, strange but does this work on your setup? even with permit and
deny, if a user is not matched in the conf, it is allowed access to the
default context stated in the conf. 

On Wed, 2004-04-28 at 16:12, James H. Thompson wrote:
> I think the problem is that using permit= alone does nothing.
> You need to combine it with a deny=  as in:
> 
> deny=0.0.0.0/0.0.0.0          ; deny all
> permit=123.123.123.123  ; allow only this address - netmask defaults to:
/255.255.255.255
> 
> order matters, the deny needs to come first.
> 
> for reference here is the code from acl.c that checks the rules:
> 
> int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
> {
>     /* Start optimistic */
>     int res = AST_SENSE_ALLOW;
>     while(ha) {
>         /* For each rule, if this address and the netmask = the net address
>            apply the current rule */
>         if ((sin->sin_addr.s_addr & ha->netmask.s_addr) ==
(ha->netaddr.s_addr)
>             res = ha->sense;
>         ha = ha->next;
>     }
>     return res;
> }
> 
> 
> Jim
> 
> James H. Thompson
> jht@lava.net
> 
> ----- Original Message ----- 
> From: "William Zhang" <w_w_zhang@yahoo.com>
> To: <asterisk-users@lists.digium.com>
> Sent: Tuesday, April 27, 2004 2:43 PM
> Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf
configuration.
> 
> 
> > I had tried many ways with some advanced user help, but without
> > success(at one point I thought I had it worked).
> > 
> > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> > file, there are a lot of entries with just "host=a.b.c.d",
thinking
> > that * will only accept calls from host "a.b.c.d", but in my
test, no
> > mater how you set up the sip.conf entries, either * will NOT accept
> > calls for that user account at all, or it will accept calls from any
> > where without VERIFYING the source IP(whether it is
"a.b.c.d" or not),
> > so long the sip userid is the username in sip.conf. This post a very
> > serious security problem.
> > 
> > Of course we can put "secret=" for each entries, but giving
Asterisk GW
> > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> > otherwise it increase the SIP traffic quite a bit.
> > 
> > Following are the 4 different entries that I had tried:
> > #Notice that in the "general" section, context is pointed to
a none
> > existant context "INVALID".
> > 
> > ;
> > ; SIP Configuration for Asterisk
> > ;
> > [general]
> > port = 5060                     ; Port to bind to
> > bindaddr = 212.213.66.68
> > context = INVALID               ;
> > ;srvlookup = yes                ; Enable SRV lookups on outbound calls
> > ;pedantic = yes                 ; Enable slow, pedantic checking for
> > Pingtel
> > ;tos=lowdelay
> > ;tos=184
> > ;maxexpirey=3600                ; Max length of incoming registration
> > we allow
> > ;defaultexpirey=120             ; Default length of incoming/outoing
> > registration
> > ;notifymimetype=text/plain      ; Allow overriding of mime type in
> > NOTIFY
> > ;videosupport=yes               ; Turn on support for SIP video
> > disallow=all                    ; Disallow all codecs
> > allow=ulaw                      ; Allow codecs in order of preference
> > allow=g729
> > allow=ilbc
> > ;
> > ;dtmfmode=info
> > ;dtmfmode=inband
> > dtmfmode=rfc2833
> > 
> > 
> > 
> > [20034]
> > type=friend
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20035]
> > type=peers
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20036]
> > type=friend
> > context=default
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > permit=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20037]
> > type=peers
> > context=default
> > callerid=TEST <61331045>
> > permit=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > Thank you in advance.
> > 
> > 
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users@lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> > 
> > 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users