asterisk users - Dec 2004 - SIP SECURITY WARNING: v1-0 (cvs today) sip context in general section ignored goes to default instead - allowing unauthorized sip devices to place calls in default context

SIP SECURITY WARNING

 

Version: v1-0 (cvs today)

 

Problem:  sip context in general section ignored - goes to default -
allowing unauthorized sip devices to place calls in default context

 

Fix [workaround]:

 

Remove or rename "default" context in extensions.conf 

 

Notes:

 

I am not sure what other asterisk functionality may be affected by this
- review your other config files for references to the "default"
context.  Test your configurations to ensure calls are landing in the
correct context.  I suggest removing "default" and creating others
like
sip-default which include demo and then testing from a sip channel to
make sure you still hit the demo from a registered device but, not from
unregistered devices.  Repeat for other channels as necessary.

 

Detail:

 

I have been working with asterisk for a while now but, had never
tested/noticed this scenario - I had always created device entries in
sip.conf for any devices I tested so I never ran into this.  Today on a
new config the phone came up before I had put anything in sip.conf and I
thought - let's see what happens if we try to call someone - and it
WORKED which was the least expected behavior.

 

I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter
any sip phone will do this) With a bare asterisk build and setup of v1-0
(pulled from cvs today) on FC3 minimal + asterisk requirements + up2date
and the configs (sip, extensions) below.

 

Without placing any peer,friend,user entries in sip.conf for the phone
device/extension, I am able to make calls through the "default"
context.
In the below example dialing "500" from a sip phone will execute the
inter asterisk connection test (IAX) to digium even though the context
defined in the general section of sip.conf is "sip-unauthorized" which
should play congestion and hang up (as was suggested in "Getting started
with asterisk").

 

Removing or renaming the "default" context in extensions.conf appears
to
resolve this issue - congestion is played.  However, adding a real
extension such as 900 and mapping it to something like voicemail shows
that the context sip-unauthorized is not being used - also the following
error is logged on the console (verbose = 7) which hints to this as well
- and explains why congestion was played.  Instead of looking for
sip-unauthorized as expected it looked for the missing default and then
played congestion when default was not found.

 

Dec  3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper:  Cannot
find extension context 'default'

 

 

 

Sip.conf

[general]

contex=sip-unauthorized

port=5060

bindaddr=0.0.0.0

localnet=172.16.0.0/255.255.255.0

 

<eof>

 

Extensions.conf

[general]

static=yes

writeprotect=no

 

[globals]

;CONSOLE=Console/dsp                     ; Console interface for demo

IAXINFO=guest                            ; IAXtel username/password

;TRUNK=Zap/g2                            ; Trunk interface

;TRUNKMSD=1                              ; MSD digits to strip (usually
1 or 0)

 

[macro-stdexten];

;

; Standard extension macro:

;   ${ARG1} - Extension  (we could have used ${MACRO_EXTEN} here as well

;   ${ARG2} - Device(s) to ring

;

exten => s,1,Dial(${ARG2},20)                                 ; Ring the
interface, 20 seconds maximum

exten => s,2,Goto(s-${DIALSTATUS},1)                          ; Jump
based on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)

 

exten => s-NOANSWER,1,Voicemail(u${ARG1})              ; If unavailable,
send to voicemail w/ unavail announce

exten => s-NOANSWER,2,Goto(default,s,1)                ; If they press
#, return to start

 

exten => s-BUSY,1,Voicemail(b${ARG1})                  ; If busy, send
to voicemail w/ busy announce

exten => s-BUSY,2,Goto(default,s,1)                           ; If they
press #, return to start

 

exten => _s-.,1,Goto(s-NOANSWER,1)                     ; Treat anything
else as no answer

 

exten => a,1,VoicemailMain(${ARG1})                           ; If they
press *, send the user into VoicemailMain

 

[default]

exten => 500,1,Playback(demo-abouttotry); Let them know what's going on

exten => 500,2,Dial(IAX2/guest@misery.digium.com/s@default)   ; Call the
Asterisk demo

exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site

exten => 500,4,Goto(s,6)          ; Return to the start over message.

 

[sip-unauthorized]

;An important point here, if you do not have a sip aware 

;firewall and are just using port forwarding then ensure 

;that your context points to somewhere like invalidcalls. 

;If you do not do this then someone could call one of your 

;extensions direct from the Internet. If you had an FXO card 

;in the machine, this could lead to them being able to make PSTN calls!!

;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767]

 

exten => s,1,Answer

exten => s,2,Playtones(congestion)

exten => s,3,Congestion

 

exten => 900,1,VoicemailMain

exten => 900,2,Hangup

 

<eof>

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20041203/831f7afd/attachment.htm

It's known that YOU DO this:

sip.conf you do 
[general]
context=from-sip

extensions.conf:
[from-sip]
exten => s,1,Congestion

This is a config issue.  Not really a security issue.

bkw

> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-
> bounces@lists.digium.com] On Behalf Of Andy Reinke
> Sent: Friday, December 03, 2004 6:48 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Cc: support@voiceeclipse.com; asterisk-dev@lists.digium.com
> Subject: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip
> contextin general section ignored goes to default instead -
> allowingunauthorized sip devices to place calls in default context
> 
> SIP SECURITY WARNING
> 
> 
> 
> Version: v1-0 (cvs today)
> 
> 
> 
> Problem:  sip context in general section ignored - goes to default -
> allowing unauthorized sip devices to place calls in default context
> 
> 
> 
> Fix [workaround]:
> 
> 
> 
> Remove or rename "default" context in extensions.conf
> 
> 
> 
> Notes:
> 
> 
> 
> I am not sure what other asterisk functionality may be affected by this -
> review your other config files for references to the "default"
context.
> Test your configurations to ensure calls are landing in the correct
> context.  I suggest removing "default" and creating others like
sip-
> default which include demo and then testing from a sip channel to make
> sure you still hit the demo from a registered device but, not from
> unregistered devices.  Repeat for other channels as necessary.
> 
> 
> 
> Detail:
> 
> 
> 
> I have been working with asterisk for a while now but, had never
> tested/noticed this scenario - I had always created device entries in
> sip.conf for any devices I tested so I never ran into this.  Today on a
> new config the phone came up before I had put anything in sip.conf and I
> thought - let's see what happens if we try to call someone - and it
WORKED
> which was the least expected behavior.
> 
> 
> 
> I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter
any
> sip phone will do this) With a bare asterisk build and setup of v1-0
> (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date
> and the configs (sip, extensions) below.
> 
> 
> 
> Without placing any peer,friend,user entries in sip.conf for the phone
> device/extension, I am able to make calls through the "default"
context.
> In the below example dialing "500" from a sip phone will execute
the inter
> asterisk connection test (IAX) to digium even though the context defined
> in the general section of sip.conf is "sip-unauthorized" which
should play
> congestion and hang up (as was suggested in "Getting started with
> asterisk").
> 
> 
> 
> Removing or renaming the "default" context in extensions.conf
appears to
> resolve this issue - congestion is played.  However, adding a real
> extension such as 900 and mapping it to something like voicemail shows
> that the context sip-unauthorized is not being used - also the following
> error is logged on the console (verbose = 7) which hints to this as well -
> and explains why congestion was played.  Instead of looking for sip-
> unauthorized as expected it looked for the missing default and then played
> congestion when default was not found.
> 
> 
> 
> Dec  3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper:  Cannot
> find extension context 'default'
> 
> 
> 
> 
> 
> 
> 
> Sip.conf
> 
> [general]
> 
> contex=sip-unauthorized
> 
> port=5060
> 
> bindaddr=0.0.0.0
> 
> localnet=172.16.0.0/255.255.255.0
> 
> 
> 
> <eof>
> 
> 
> 
> Extensions.conf
> 
> [general]
> 
> static=yes
> 
> writeprotect=no
> 
> 
> 
> [globals]
> 
> ;CONSOLE=Console/dsp                     ; Console interface for demo
> 
> IAXINFO=guest                            ; IAXtel username/password
> 
> ;TRUNK=Zap/g2                            ; Trunk interface
> 
> ;TRUNKMSD=1                              ; MSD digits to strip (usually 1
> or 0)
> 
> 
> 
> [macro-stdexten];
> 
> ;
> 
> ; Standard extension macro:
> 
> ;   ${ARG1} - Extension  (we could have used ${MACRO_EXTEN} here as well
> 
> ;   ${ARG2} - Device(s) to ring
> 
> ;
> 
> exten => s,1,Dial(${ARG2},20)                                 ; Ring the
> interface, 20 seconds maximum
> 
> exten => s,2,Goto(s-${DIALSTATUS},1)                          ; Jump
based
> on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)
> 
> 
> 
> exten => s-NOANSWER,1,Voicemail(u${ARG1})              ; If unavailable,
> send to voicemail w/ unavail announce
> 
> exten => s-NOANSWER,2,Goto(default,s,1)                ; If they press
#,
> return to start
> 
> 
> 
> exten => s-BUSY,1,Voicemail(b${ARG1})                  ; If busy, send
to
> voicemail w/ busy announce
> 
> exten => s-BUSY,2,Goto(default,s,1)                           ; If they
> press #, return to start
> 
> 
> 
> exten => _s-.,1,Goto(s-NOANSWER,1)                     ; Treat anything
> else as no answer
> 
> 
> 
> exten => a,1,VoicemailMain(${ARG1})                           ; If they
> press *, send the user into VoicemailMain
> 
> 
> 
> [default]
> 
> exten => 500,1,Playback(demo-abouttotry); Let them know what's going
on
> 
> exten => 500,2,Dial(IAX2/guest@misery.digium.com/s@default)   ; Call the
> Asterisk demo
> 
> exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo
site
> 
> exten => 500,4,Goto(s,6)          ; Return to the start over message.
> 
> 
> 
> [sip-unauthorized]
> 
> ;An important point here, if you do not have a sip aware
> 
> ;firewall and are just using port forwarding then ensure
> 
> ;that your context points to somewhere like invalidcalls.
> 
> ;If you do not do this then someone could call one of your
> 
> ;extensions direct from the Internet. If you had an FXO card
> 
> ;in the machine, this could lead to them being able to make PSTN calls!!
> 
> ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767]
> 
> 
> 
> exten => s,1,Answer
> 
> exten => s,2,Playtones(congestion)
> 
> exten => s,3,Congestion
> 
> 
> 
> exten => 900,1,VoicemailMain
> 
> exten => 900,2,Hangup
> 
> 
> 
> <eof>
> 
>

On Sat, 2004-12-04 at 00:47, Andy Reinke wrote:
> SIP SECURITY WARNING
> 
>  
> 
> Version: v1-0 (cvs today)
> 
>  
> 
> Problem:  sip context in general section ignored - goes to default -
> allowing unauthorized sip devices to place calls in default context
> 
>  
> 
> Fix [workaround]:
[CUT]

Why use the default context in the first place ?

default is never good to start of, it's good for fallback, but not for
having all you routing stuff in it.

That would be common knowledge/good sense behaviour.

Sl?n leat,
Martin List-Petersen
Dublin, Eire 
(contact info on --> http://www.marlow.dk/)

On December 3, 2004 07:47 pm, Andy Reinke wrote:
> SIP SECURITY WARNING
Not only are you overdramatic but you're also posting in HTML.

Please, please PLEASE remove your head from your ass, READ THE DOCUMENTATION 
and UNDERSTAND it before you decide you're the next best Asterisk security 
consultant.

You say you've been using asterisk for a while now -- which means that you 
should know better than to 

1) post HTML to this list
2) post a security alert without ASKING if this is the intended behaviour

and, at least in my mind,

3) had a basic understanding of how Asterisk routes incoming call requests to 
contexts.

I mean come on -- Did the thrill of being the first with a 0day exploit for 
Asterisk overrule your common sense?

-A.

On Sat, 2004-12-04 at 00:47, Andy Reinke wrote:
> SIP SECURITY WARNING
> 
> Version: v1-0 (cvs today)
> 
> Problem:  sip context in general section ignored - goes to default -
> allowing unauthorized sip devices to place calls in default context
>
[CUT]
>
> Sip.conf
> [general]
> contex=sip-unauthorized
> port=5060
> bindaddr=0.0.0.0
> localnet=172.16.0.0/255.255.255.0
> <eof>
And by the way: if you spell "context" the way you do (check above) it
of course will get ignored.

Sl?n leat,
Martin List-Petersen
Dublin, Eire 
(contact info on --> http://www.marlow.dk/)

Andy Reinke wrote:
> SIP SECURITY WARNING
> 
> 
> [general]
> 
> contex=sip-unauthorized
> 
If you spell this right, all calls from unknown SIP devices will be sent to the
context you set here. If you do not set a context in the general section of
sip.conf, "default" will be used.

This is the way you configure how to receive calls from unknown users, not
really a security hole. Everything you define in the [general] context= context
will be rechable by anyone.

/Olle