Andy Reinke
2004-Dec-03 17:47 UTC
[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context
SIP SECURITY WARNING Version: v1-0 (cvs today) Problem: sip context in general section ignored - goes to default - allowing unauthorized sip devices to place calls in default context Fix [workaround]: Remove or rename "default" context in extensions.conf Notes: I am not sure what other asterisk functionality may be affected by this - review your other config files for references to the "default" context. Test your configurations to ensure calls are landing in the correct context. I suggest removing "default" and creating others like sip-default which include demo and then testing from a sip channel to make sure you still hit the demo from a registered device but, not from unregistered devices. Repeat for other channels as necessary. Detail: I have been working with asterisk for a while now but, had never tested/noticed this scenario - I had always created device entries in sip.conf for any devices I tested so I never ran into this. Today on a new config the phone came up before I had put anything in sip.conf and I thought - let's see what happens if we try to call someone - and it WORKED which was the least expected behavior. I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter any sip phone will do this) With a bare asterisk build and setup of v1-0 (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date and the configs (sip, extensions) below. Without placing any peer,friend,user entries in sip.conf for the phone device/extension, I am able to make calls through the "default" context. In the below example dialing "500" from a sip phone will execute the inter asterisk connection test (IAX) to digium even though the context defined in the general section of sip.conf is "sip-unauthorized" which should play congestion and hang up (as was suggested in "Getting started with asterisk"). Removing or renaming the "default" context in extensions.conf appears to resolve this issue - congestion is played. However, adding a real extension such as 900 and mapping it to something like voicemail shows that the context sip-unauthorized is not being used - also the following error is logged on the console (verbose = 7) which hints to this as well - and explains why congestion was played. Instead of looking for sip-unauthorized as expected it looked for the missing default and then played congestion when default was not found. Dec 3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper: Cannot find extension context 'default' Sip.conf [general] contex=sip-unauthorized port=5060 bindaddr=0.0.0.0 localnet=172.16.0.0/255.255.255.0 <eof> Extensions.conf [general] static=yes writeprotect=no [globals] ;CONSOLE=Console/dsp ; Console interface for demo IAXINFO=guest ; IAXtel username/password ;TRUNK=Zap/g2 ; Trunk interface ;TRUNKMSD=1 ; MSD digits to strip (usually 1 or 0) [macro-stdexten]; ; ; Standard extension macro: ; ${ARG1} - Extension (we could have used ${MACRO_EXTEN} here as well ; ${ARG2} - Device(s) to ring ; exten => s,1,Dial(${ARG2},20) ; Ring the interface, 20 seconds maximum exten => s,2,Goto(s-${DIALSTATUS},1) ; Jump based on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER) exten => s-NOANSWER,1,Voicemail(u${ARG1}) ; If unavailable, send to voicemail w/ unavail announce exten => s-NOANSWER,2,Goto(default,s,1) ; If they press #, return to start exten => s-BUSY,1,Voicemail(b${ARG1}) ; If busy, send to voicemail w/ busy announce exten => s-BUSY,2,Goto(default,s,1) ; If they press #, return to start exten => _s-.,1,Goto(s-NOANSWER,1) ; Treat anything else as no answer exten => a,1,VoicemailMain(${ARG1}) ; If they press *, send the user into VoicemailMain [default] exten => 500,1,Playback(demo-abouttotry); Let them know what's going on exten => 500,2,Dial(IAX2/guest@misery.digium.com/s@default) ; Call the Asterisk demo exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site exten => 500,4,Goto(s,6) ; Return to the start over message. [sip-unauthorized] ;An important point here, if you do not have a sip aware ;firewall and are just using port forwarding then ensure ;that your context points to somewhere like invalidcalls. ;If you do not do this then someone could call one of your ;extensions direct from the Internet. If you had an FXO card ;in the machine, this could lead to them being able to make PSTN calls!! ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767] exten => s,1,Answer exten => s,2,Playtones(congestion) exten => s,3,Congestion exten => 900,1,VoicemailMain exten => 900,2,Hangup <eof> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20041203/831f7afd/attachment.htm
Brian West
2004-Dec-03 18:02 UTC
[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip contextin general section ignored goes to default instead - allowingunauthorized sip devices to place calls in default context
It's known that YOU DO this: sip.conf you do [general] context=from-sip extensions.conf: [from-sip] exten => s,1,Congestion This is a config issue. Not really a security issue. bkw> -----Original Message----- > From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- > bounces@lists.digium.com] On Behalf Of Andy Reinke > Sent: Friday, December 03, 2004 6:48 PM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Cc: support@voiceeclipse.com; asterisk-dev@lists.digium.com > Subject: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip > contextin general section ignored goes to default instead - > allowingunauthorized sip devices to place calls in default context > > SIP SECURITY WARNING > > > > Version: v1-0 (cvs today) > > > > Problem: sip context in general section ignored - goes to default - > allowing unauthorized sip devices to place calls in default context > > > > Fix [workaround]: > > > > Remove or rename "default" context in extensions.conf > > > > Notes: > > > > I am not sure what other asterisk functionality may be affected by this - > review your other config files for references to the "default" context. > Test your configurations to ensure calls are landing in the correct > context. I suggest removing "default" and creating others like sip- > default which include demo and then testing from a sip channel to make > sure you still hit the demo from a registered device but, not from > unregistered devices. Repeat for other channels as necessary. > > > > Detail: > > > > I have been working with asterisk for a while now but, had never > tested/noticed this scenario - I had always created device entries in > sip.conf for any devices I tested so I never ran into this. Today on a > new config the phone came up before I had put anything in sip.conf and I > thought - let's see what happens if we try to call someone - and it WORKED > which was the least expected behavior. > > > > I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter any > sip phone will do this) With a bare asterisk build and setup of v1-0 > (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date > and the configs (sip, extensions) below. > > > > Without placing any peer,friend,user entries in sip.conf for the phone > device/extension, I am able to make calls through the "default" context. > In the below example dialing "500" from a sip phone will execute the inter > asterisk connection test (IAX) to digium even though the context defined > in the general section of sip.conf is "sip-unauthorized" which should play > congestion and hang up (as was suggested in "Getting started with > asterisk"). > > > > Removing or renaming the "default" context in extensions.conf appears to > resolve this issue - congestion is played. However, adding a real > extension such as 900 and mapping it to something like voicemail shows > that the context sip-unauthorized is not being used - also the following > error is logged on the console (verbose = 7) which hints to this as well - > and explains why congestion was played. Instead of looking for sip- > unauthorized as expected it looked for the missing default and then played > congestion when default was not found. > > > > Dec 3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper: Cannot > find extension context 'default' > > > > > > > > Sip.conf > > [general] > > contex=sip-unauthorized > > port=5060 > > bindaddr=0.0.0.0 > > localnet=172.16.0.0/255.255.255.0 > > > > <eof> > > > > Extensions.conf > > [general] > > static=yes > > writeprotect=no > > > > [globals] > > ;CONSOLE=Console/dsp ; Console interface for demo > > IAXINFO=guest ; IAXtel username/password > > ;TRUNK=Zap/g2 ; Trunk interface > > ;TRUNKMSD=1 ; MSD digits to strip (usually 1 > or 0) > > > > [macro-stdexten]; > > ; > > ; Standard extension macro: > > ; ${ARG1} - Extension (we could have used ${MACRO_EXTEN} here as well > > ; ${ARG2} - Device(s) to ring > > ; > > exten => s,1,Dial(${ARG2},20) ; Ring the > interface, 20 seconds maximum > > exten => s,2,Goto(s-${DIALSTATUS},1) ; Jump based > on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER) > > > > exten => s-NOANSWER,1,Voicemail(u${ARG1}) ; If unavailable, > send to voicemail w/ unavail announce > > exten => s-NOANSWER,2,Goto(default,s,1) ; If they press #, > return to start > > > > exten => s-BUSY,1,Voicemail(b${ARG1}) ; If busy, send to > voicemail w/ busy announce > > exten => s-BUSY,2,Goto(default,s,1) ; If they > press #, return to start > > > > exten => _s-.,1,Goto(s-NOANSWER,1) ; Treat anything > else as no answer > > > > exten => a,1,VoicemailMain(${ARG1}) ; If they > press *, send the user into VoicemailMain > > > > [default] > > exten => 500,1,Playback(demo-abouttotry); Let them know what's going on > > exten => 500,2,Dial(IAX2/guest@misery.digium.com/s@default) ; Call the > Asterisk demo > > exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site > > exten => 500,4,Goto(s,6) ; Return to the start over message. > > > > [sip-unauthorized] > > ;An important point here, if you do not have a sip aware > > ;firewall and are just using port forwarding then ensure > > ;that your context points to somewhere like invalidcalls. > > ;If you do not do this then someone could call one of your > > ;extensions direct from the Internet. If you had an FXO card > > ;in the machine, this could lead to them being able to make PSTN calls!! > > ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767] > > > > exten => s,1,Answer > > exten => s,2,Playtones(congestion) > > exten => s,3,Congestion > > > > exten => 900,1,VoicemailMain > > exten => 900,2,Hangup > > > > <eof> > >
Martin List-Petersen
2004-Dec-03 18:13 UTC
[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context
On Sat, 2004-12-04 at 00:47, Andy Reinke wrote:> SIP SECURITY WARNING > > > > Version: v1-0 (cvs today) > > > > Problem: sip context in general section ignored - goes to default - > allowing unauthorized sip devices to place calls in default context > > > > Fix [workaround]:[CUT] Why use the default context in the first place ? default is never good to start of, it's good for fallback, but not for having all you routing stuff in it. That would be common knowledge/good sense behaviour. Sl?n leat, Martin List-Petersen Dublin, Eire (contact info on --> http://www.marlow.dk/)
Andrew Kohlsmith
2004-Dec-03 18:15 UTC
FALSE ALARM Re: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context
On December 3, 2004 07:47 pm, Andy Reinke wrote:> SIP SECURITY WARNINGNot only are you overdramatic but you're also posting in HTML. Please, please PLEASE remove your head from your ass, READ THE DOCUMENTATION and UNDERSTAND it before you decide you're the next best Asterisk security consultant. You say you've been using asterisk for a while now -- which means that you should know better than to 1) post HTML to this list 2) post a security alert without ASKING if this is the intended behaviour and, at least in my mind, 3) had a basic understanding of how Asterisk routes incoming call requests to contexts. I mean come on -- Did the thrill of being the first with a 0day exploit for Asterisk overrule your common sense? -A.
Martin List-Petersen
2004-Dec-03 18:58 UTC
[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context
On Sat, 2004-12-04 at 00:47, Andy Reinke wrote:> SIP SECURITY WARNING > > Version: v1-0 (cvs today) > > Problem: sip context in general section ignored - goes to default - > allowing unauthorized sip devices to place calls in default context >[CUT]> > Sip.conf > [general] > contex=sip-unauthorized > port=5060 > bindaddr=0.0.0.0 > localnet=172.16.0.0/255.255.255.0 > <eof>And by the way: if you spell "context" the way you do (check above) it of course will get ignored. Sl?n leat, Martin List-Petersen Dublin, Eire (contact info on --> http://www.marlow.dk/)
Olle E. Johansson
2004-Dec-06 02:11 UTC
[Asterisk-Users] Re: [Asterisk-Dev] SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context
Andy Reinke wrote:> SIP SECURITY WARNING > > > [general] > > contex=sip-unauthorized >If you spell this right, all calls from unknown SIP devices will be sent to the context you set here. If you do not set a context in the general section of sip.conf, "default" will be used. This is the way you configure how to receive calls from unknown users, not really a security hole. Everything you define in the [general] context= context will be rechable by anyone. /Olle