Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Sun, 13 Mar 2005 22:07:18 -0800 



Peter Bowyer wrote:

On Mon, 14 Mar 2005 00:27:12 -0500, Andres <[EMAIL PROTECTED]> wrote:


Deti Fliegl wrote:



Hi there,

all that started by investigating what happens if SIP clients are
calling anonymously.
The problem: Every client who is registered as a regular user with
username and secret can fake any callerid in subsequent INVITEs.
Asterisk does not apply an accountcode or callerid from sip.conf.
Those calls end up unbilled and untraceable.


I just tested this.  You are totally right.

Simple way to reproduce this with a Sipura:
1.  Have the unit register with your Asterisk provider.
2.  Then under the advanced settings change Register to "No" and Make
Calls Without Register to "Yes"
3.  Change your username.
4.  Make a call and see how it does not show up under your cdrs!

I would consider this a major problem.  Anyone depending on this might
want to open up a bug report.




They might also want to read higher up in this thread, where advice
was given as to how to configure round this behaviour. Land
unauthenticated SIP calls in a context with limited or no access.
Asterisk allows you to do exactly what you want.


You might want to try the steps provided above yourself Peter. Because even if we have a context that leads to never never land at the top of sip.conf, I am still able to make free calls. A "sip debug" clearly shows how Asterisk matches the call to the existing sip.conf entry yet the modified username/password has nothing to do with any sip.conf entries.
---------------
[general]
port = 5060 ; Port to bind to
bindaddr = 0.0.0.0 ; Address to bind to
context = nocalls ; Default for incoming calls of not registered phones
---------------

The trick is to make the call while Asterisk **still** thinks your IP/port is from a valid register user. (and make sure your phone does not try to register again after you make the username change)

Many people use this behavour to accept unsolicited SIP calls and
direct them to an IVR or a specified extension, for example. But you
probably wouldn't allow them to make toll calls.

Peter




--
Andres
Network Admin
http://www.telesip.net


_______________________________________________
Asterisk-Users mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to