Home / vulnerabilities Asterisk 1.4.x / 1.6.x Username Enumeration
Posted on 17 April 2011
Source : packetstormsecurity.org Link
Asterisk, sip response permit username identification
Author: francesco.tornieri "At" verona-wireless.net
Summary: Sip responses permit user identification
Release Date: 16/04/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.4.x (tested 1.4.40)
Asterisk 1.6.x (tested 1.6.2.17.2)
Asterisk 1.8.x isn't affected (tested 1.8.3.2)
Description:
It's possible to enumerate valide sip username through use INVITE request method instead of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html)
Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=192.168.1.1
realm=asterisk
allowguest=no
alwaysauthreject=yes <----
[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729
[100](template)
callerid=phone100<100>
username=100
secret=password
[500](template)
callerid=phone200<500>
username=500
secret=password
----------------
Method: REGISTER
----------------
Valid and Invalid user:
Response: Timed out
----------------
Method: INVITE
----------------
Invalid user:
Response: 'SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-2943238028;received=192.168.1.250;rport=63772
From: "101"<sip:101@192.168.1.1>; tag=3130310132353237333535383832
To: "101"<sip:101@192.168.1.1>;tag=as7e9ffcb3
Call-ID: 777784064
CSeq: 1 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Proxy-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="256bdf28"
Content-Length: 0
'
WARNING:root:found nothing
Valid user:
Mehod; INVITE
Response: nothing
Francesco Tornieri
