| Summary: | ASTERISK-28589: chan_sip: Depending on configuration an INVITE can alter Addr of a peer | ||
| Reporter: | Andrey V. T. (avt1203) | Labels: | security |
| Date Opened: | 2019-10-17 09:00:26 | Date Closed: | 2019-11-21 11:41:51.000-0600 |
| Priority: | Blocker | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/General |
| Versions: | 13.29.1 16.6.1 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ( 0) AST-2019-006.pdf ( 1) sip_invite ( 2) sip.conf | |
| Description: | Hi.
Issue summary: Remote attacker can overwrite legitimate sip peer ip address/port (Addr->IP) by send unauthorized INVITE request. Can be used to made peer unreachable or possible take control of incoming calls to affected peer. Only knowledge of peer name required. Issue checked against git master version of asterisk (GIT-master-5ca9efd). All other versions of asterisk, accessible by me (13.x), also affected. Any configuration options, known to me, has no effect on issue. Steps taken to reproduce: in my test case asterisk listen udp on 172.16.2.77:5062. Test peers registered form same host (172.16.2.77). Crafted INVITE sent from 192.168.2.1. *) Compile asterisk with:. /configure --with-jansson-bundled --prefix=/opt/asterisk/ make make install *) Install example configs: make samples *) Allow load of chan_sip in modules.conf noload => chan_sip.so => ;noload => chan_sip.so *) Replace example configuration files by attached configuration files. 2 sip peer defined in sip.conf (101 & 102) 1 context defined in extensions.conf *) Send crafted udp packet to asterisk. File with crafted request attached (sip_invite). netcat -u 172.16.2.77 5062 < sip *) Made call to affected test peer from second test peer. Resulted communication dump attached (pcap). In result: Invite to affected peer 101 placed by asterisk to attacker controlled endpoint (192.168.2.1:x) Sorry for my English. Not my native language. | ||
| Comments: | By: Asterisk Team (asteriskteam) 2019-10-17 09:00:28.612-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. By: Joshua C. Colp (jcolp) 2019-10-17 09:03:45.764-0500 When "nat" is set to "yes" I wasn't able to reproduce this. When it was set to "no" I also was not able to reproduce it. It has to be the default, or the specific value that matches the default I think. By: Benjamin Keith Ford (bford) 2019-10-22 13:33:53.330-0500 Attaching the advisory here for you to review. If there's anything you would like changed, please let me know. By: Friendly Automation (friendly-automation) 2019-11-21 11:42:06.138-0600 Change 13236 merged by Friendly Automation: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13236|https://gerrit.asterisk.org/c/asterisk/+/13236] By: Friendly Automation (friendly-automation) 2019-11-21 13:33:33.715-0600 Change 13281 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13281|https://gerrit.asterisk.org/c/asterisk/+/13281] By: Friendly Automation (friendly-automation) 2019-11-21 13:34:46.276-0600 Change 13280 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13280|https://gerrit.asterisk.org/c/asterisk/+/13280] By: Friendly Automation (friendly-automation) 2019-11-21 13:39:44.149-0600 Change 13237 merged by Friendly Automation: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13237|https://gerrit.asterisk.org/c/asterisk/+/13237] By: Friendly Automation (friendly-automation) 2019-11-21 13:40:57.001-0600 Change 13238 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13238|https://gerrit.asterisk.org/c/asterisk/+/13238] By: Friendly Automation (friendly-automation) 2019-11-21 13:58:25.084-0600 Change 13239 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13239|https://gerrit.asterisk.org/c/asterisk/+/13239] By: Friendly Automation (friendly-automation) 2019-11-21 14:45:20.989-0600 Change 13283 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13283|https://gerrit.asterisk.org/c/asterisk/+/13283] By: Friendly Automation (friendly-automation) 2019-11-21 14:46:02.948-0600 Change 13284 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13284|https://gerrit.asterisk.org/c/asterisk/+/13284] By: Friendly Automation (friendly-automation) 2019-11-21 14:46:42.462-0600 Change 13285 merged by Benjamin Keith Ford: chan_sip.c: Prevent address change on unauthenticated SIP request. [https://gerrit.asterisk.org/c/asterisk/+/13285|https://gerrit.asterisk.org/c/asterisk/+/13285] | ||