kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-16 06:48:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses.

Browse Source 
When endpoint specific ACL rules block a SIP request they respond with a
403 forbidden.  However, if an endpoint is not identified then a 401
unauthorized response is sent.  This vulnerability just discloses which
requests hit a defined endpoint.  The ACL rules cannot be bypassed to gain
access to the disclosed endpoints.

* Made endpoint specific ACL rules now respond with a 401 unauthorized
which is the same as if an endpoint were not identified.  The fix is
accomplished by replacing the found endpoint with the artificial endpoint
which always fails authentication.

ASTERISK-27818

Change-Id: I716c998d5fad7a12bf6cf1747102189080a4b6de
This commit is contained in:
Richard Mudgett
2018-04-30 17:38:58 -05:00
committed by Kevin Harwell
parent f71a367016
commit 0ebeb3bed5
1 changed files with 30 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
res/res_pjsip/pjsip_distributor.c
View File

@@ -666,6 +666,26 @@ static void check_endpoint(pjsip_rx_data *rdata, struct unidentified_request *un
ao2_unlock(unid);
}
static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint);
static void apply_acls(pjsip_rx_data *rdata)
{
struct ast_sip_endpoint *endpoint;
/* Is the endpoint allowed with the source or contact address? */
endpoint = rdata->endpt_info.mod_data[endpoint_mod.id];
if (endpoint != artificial_endpoint
&& (apply_endpoint_acl(rdata, endpoint)
|| apply_endpoint_contact_acl(rdata, endpoint))) {
ast_debug(1, "Endpoint '%s' not allowed by ACL\n",
ast_sorcery_object_get_id(endpoint));
/* Replace the rdata endpoint with the artificial endpoint. */
ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint);
}
}
static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
{
struct ast_sip_endpoint *endpoint;
@@ -684,6 +704,7 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
ao2_unlink(unidentified_requests, unid);
ao2_ref(unid, -1);
}
apply_acls(rdata);
return PJ_FALSE;
}
@@ -743,6 +764,8 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata)
ast_sip_report_invalid_endpoint(name, rdata);
}
}
apply_acls(rdata);
return PJ_FALSE;
}
@@ -826,16 +849,11 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
ast_assert(endpoint != NULL);
if (endpoint!=artificial_endpoint) {
if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) {
if (!is_ack) {
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL);
}
return PJ_TRUE;
}
if (is_ack) {
return PJ_FALSE;
}
if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) {
if (ast_sip_requires_authentication(endpoint, rdata)) {
pjsip_tx_data *tdata;
struct unidentified_request *unid;
@@ -871,6 +889,10 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata)
return PJ_TRUE;
}
pjsip_tx_data_dec_ref(tdata);
} else if (endpoint == artificial_endpoint) {
/* Uh. Oh. The artificial endpoint couldn't challenge so block the request. */
pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL);
return PJ_TRUE;
}
return PJ_FALSE;