Asterisk, sip response permit username identification Author: francesco.tornieri \"At\" verona-wireless.net Summary: Sip responses permit user identification Release Date: 16/04/2011 Criticality level: Low Impact: Information leak Software: Asterisk 1.4.x (tested 1.4.40) Asterisk 1.6.x (tested 1.6.2.17.2) Asterisk 1.8.x isn't affected (tested 1.8.3.2) Description: It's possible to enumerate valide sip username through use INVITE request method instead of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html) Example: PBX Asterisk: ---------- sip.conf ---------- [general] context=outgoing port=5060 bindaddr=192.168.1.1 realm=asterisk allowguest=no alwaysauthreject=yes <---- [template](!) type=friend canreinvite=no host=dynamic qualify=1000 disallow=all allow=g729 [100](template) callerid=phone100<100> username=100 secret=password [500](template) callerid=phone200<500> username=500 secret=password ---------------- Method: REGISTER ---------------- Valid and Invalid user: Response: Timed out ---------------- Method: INVITE ---------------- Invalid user: Response: 'SIP/2.0 407 Proxy Authentication Required\r\nVia: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK-2943238028;received=192.168.1.250;rport=63772\r\nFrom: "101"; tag=3130310132353237333535383832\r\nTo: "101";tag=as7e9ffcb3\r\nCall-ID: 777784064\r\nCSeq: 1 INVITE\r\nUser-Agent: Asterisk PBX\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO\r\nSupported: replaces\r\nProxy-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="256bdf28"\r\nContent-Length: 0\r\n\r\n' WARNING:root:found nothing Valid user: Mehod; INVITE Response: nothing Francesco Tornieri