[Home]

Summary:ASTERISK-20186: Security Vulnerability: IAX2 peer's NEW message bypasses ACL defined in realtime
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2012-08-01 13:05:41Date Closed:2012-08-30 11:23:07
Priority:MajorRegression?
Status:Closed/CompleteComponents:Channels/chan_iax2
Versions:1.8.15.0 10.7.0 10.7.0-digiumphones Frequency of
Occurrence
Related
Issues:
must be completed before resolvingASTERISK-20308 Asterisk 1.8.16.0 Blockers
must be completed before resolvingASTERISK-20309 Asterisk 10.8.0 Blockers
Environment:Attachments:( 0) AST-2012-013-1.8.diff
( 1) AST-2012-013-10.diff
( 2) AST-2012-013-11.diff
Description:From the issue reporter:

I believe I have found a potential IAX2 security issue.  I have tested this on both on asterisk-1.6.2.24  asterisk-1.8.14.1.  In both cases, I am using Realtime IAX and testing with a ZoIPer softphone and am seemingly able to bypass the deny/permit directives.  This does not occur with regular .conf files, only via Realtime.

Let's say User "test1a" is at 9.8.7.6 and User "test1234567" is at 1.2.3.4.

Here is the entries from the Realtime IAX table:

{noformat}
+-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+
| client_id | name   | type   | transfer | canreinvite | cancallforward | username | accountcode | secret     | amaflags | context | callerid    | host    | defaultip | deny            | permit          | ipaddr  | port | fullcontact | regseconds |
+-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+
|        30 | test1a | friend | no       | no          | no             | test1a   | test1a      | xxxxxxxxxx | billing  | internl | 12125551212 | dynamic | NULL      | 0.0.0.0/0.0.0.0 | 0.0.0.0/0.0.0.0 | 0.0.0.0 |    0 | NULL        |          0 |
+-----------+--------+--------+----------+-------------+----------------+----------+-------------+------------+----------+---------+-------------+---------+-----------+-----------------+-----------------+---------+------+-------------+------------+

+-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
| client_id | name        | type   | transfer | canreinvite | cancallforward | username    | accountcode | secret   | amaflags | context | callerid | host    | defaultip | deny            | permit                  | ipaddr  | port | fullcontact | regseconds |
+-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
|        41 | test1234567 | friend | no       | no          | no             | test1234567 | test1234567 | xxxxxxxx | billing  | internl |          | dynamic | NULL      | 0.0.0.0/0.0.0.0 | 1.2.3.4/255.255.255.255 | 0.0.0.0 |    0 | NULL        |          0 |
+-----------+-------------+--------+----------+-------------+----------------+-------------+-------------+----------+----------+---------+----------+---------+-----------+-----------------+-------------------------+---------+------+-------------+------------+
{noformat}

If from a cold start of the server or if the first user has not registered for awhile (long after their registration expired), the first user (9.8.7.6) attempts to register or make a call to test1234567 (which only permits 1.2.3.4), the registration or call without registration will be denied (desired behavior).  

[Jul 27 00:15:04] NOTICE[28571]: chan_iax2.c:7711 register_verify: Host 9.8.7.6 denied access to register peer 'test1234567'
^^^ OK

However, if "test1a" registers using their own credentials and then changes their credentials (username and password) to that of test1234567... they are able to bypass the deny/permit and make calls using the second users credentials.  Registration will be still be blocked as is desired, but calls without registration can be made regardless of deny/permit.

{noformat}
--Call attempt after changing credentials.
[Jul 27 00:15:05] DEBUG[28564]: chan_iax2.c:2577 sched_delay_remove: schedule decrement of callno used for 9.8.7.6 in 60 seconds
[Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
[Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE ipaddr = '9.8.7.6' AND port = '4569'
[Jul 27 00:15:05] DEBUG[28565]: chan_iax2.c:2240 peercnt_add: ip callno count incremented to 29 for 9.8.7.6
[Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
[Jul 27 00:15:05] DEBUG[28565]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE name = 'test1234567' AND host = 'dynamic'
[Jul 27 00:15:05] WARNING[28565]: utils.c:1538 __ast_string_field_init: trying to reset empty pool
[Jul 27 00:15:05] DEBUG[28565]: acl.c:347 ast_append_ha: 0.0.0.0/0.0.0.0 sense 0 appended to acl for peer
[Jul 27 00:15:05] DEBUG[28565]: acl.c:347 ast_append_ha: 1.2.3.4/255.255.255.255 sense 1 appended to acl for peer
[Jul 27 00:15:07] DEBUG[28562]: chan_iax2.c:2270 peercnt_remove: ip callno count decremented to 28 for 9.8.7.6
[Jul 27 00:15:07] DEBUG[28563]: res_config_mysql.c:1618 mysql_reconnect: MySQL RealTime: Connection okay.
[Jul 27 00:15:07] DEBUG[28563]: res_config_mysql.c:372 realtime_mysql: MySQL RealTime: Retrieve SQL: SELECT * FROM iaxpeers WHERE ipaddr = '9.8.7.6' AND port = '4569'
[Jul 27 00:15:07] DEBUG[28563]: chan_iax2.c:2240 peercnt_add: ip callno count incremented to 29 for 9.8.7.6
[Jul 27 00:15:07] NOTICE[28563]: chan_iax2.c:7711 register_verify: Host 9.8.7.6 denied access to register peer 'test1234567'
   -- Accepting AUTHENTICATED call from 9.8.7.6:
      > requested format = gsm,
      > requested prefs = (),
      > actual format = ulaw,
      > host prefs = (ulaw|alaw|gsm|ilbc|g729),
      > priority = mine
^^^ NOT OK User at 9.8.7.6 able to make a call using test1234567 credentials and thus bypass the permit of only the 1.2.3.4 IP.  CDRs indicate call is form test1234567 from an IP that should have been denied.
{noformat}

I have changed just about everything in iax.conf regarding RT cahcing, expiring, etc and I still see the same behavior.

Note from mjordan:

I was able to confirm this as well using Zoiper as the test1a peer and a second Asterisk instance as the ACL restricted peer.  Even when the test1a peer was not registered, it was able to use the credentials of the second IAX peer and make a call.  The REGREQ was still properly denied, but the NEW bypassed the ACL.
Comments: