[Pkg-voip-commits] r6969 - in /asterisk/branches/etch/debian: changelog patches/00list patches/AST-2009-003.dpatch

[tzafrir-guest at alioth.debian.org]

Author: tzafrir-guest
Date: Sat Apr  4 15:38:00 2009
New Revision: 6969

URL: http://svn.debian.org/wsvn/pkg-voip/?sc=1&rev=6969
Log:
Fix for AST-2009-003 (CVE-2008-3903) - SIP responses expose valid 
usernames (Closes: #522528).

Added:
    asterisk/branches/etch/debian/patches/AST-2009-003.dpatch   (with props)
Modified:
    asterisk/branches/etch/debian/changelog
    asterisk/branches/etch/debian/patches/00list

Modified: asterisk/branches/etch/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/changelog?rev=6969&op=diff
==============================================================================
--- asterisk/branches/etch/debian/changelog (original)
+++ asterisk/branches/etch/debian/changelog Sat Apr  4 15:38:00 2009
@@ -9,8 +9,10 @@
   * To re-enable it set "allowfwdownload = yes" in iaxprov.conf
   * Fix for AST-2009-001 (CVE-2009-0041) - Information leak in IAX2 
     authentication (Closes: #513413).
-
- -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Sat, 21 Feb 2009 15:56:30 +0200
+  * Fix for AST-2009-003 (CVE-2008-3903) - SIP responses expose valid 
+    usernames (Closes: #522528).
+
+ -- Tzafrir Cohen <tzafrir.cohen at xorcom.com>  Sat, 04 Apr 2009 18:35:37 +0300
 
 asterisk (1:1.2.13~dfsg-2etch5) stable-security; urgency=high
 

Modified: asterisk/branches/etch/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/00list?rev=6969&op=diff
==============================================================================
--- asterisk/branches/etch/debian/patches/00list (original)
+++ asterisk/branches/etch/debian/patches/00list Sat Apr  4 15:38:00 2009
@@ -18,6 +18,7 @@
 AST-2008-011.dpatch
 AST-2008-012.dpatch
 AST-2009-001.dpatch
+AST-2009-003.dpatch
 # ukcid probably conflicts with bristuff
 ukcid
 option_detach

Added: asterisk/branches/etch/debian/patches/AST-2009-003.dpatch
URL: http://svn.debian.org/wsvn/pkg-voip/asterisk/branches/etch/debian/patches/AST-2009-003.dpatch?rev=6969&op=file
==============================================================================
--- asterisk/branches/etch/debian/patches/AST-2009-003.dpatch (added)
+++ asterisk/branches/etch/debian/patches/AST-2009-003.dpatch Sat Apr  4 15:38:00 2009
@@ -1,0 +1,162 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## AST-2009-003.dpatch by Tzafrir Cohen <tzafrir.cohen at xorcom.com>
+##
+## DP: SIP responses expose valid usernames
+## DP: 
+## DP: See http://downloads.digium.com/pub/security/AST-2009-003.html
+## DP: Source: http://downloads.digium.com/pub/asa/AST-2009-003-1.2.diff.txt
+## DP: CVE: CVE-2008-3903
+
+ at DPATCH@
+Index: channels/chan_sip.c
+===================================================================
+--- a/channels/chan_sip.c	(revision 183480)
++++ b/channels/chan_sip.c	(working copy)
+@@ -6611,10 +6611,81 @@
+ /*! \brief Send a fake 401 Unauthorized response when the administrator
+   wants to hide the names of local users/peers from fishers
+ */
+-static void transmit_fake_auth_response(struct sip_pvt *p, struct sip_request *req, char *randdata, int randlen, int reliable)
++static void transmit_fake_auth_response(struct sip_pvt *p, int sipmethod, struct sip_request *req, char *randdata, int randlen, int reliable, int ignore)
+ {
+-	snprintf(randdata, randlen, "%08x", thread_safe_rand());
+-	transmit_response_with_auth(p, "401 Unauthorized", req, randdata, reliable, "WWW-Authenticate", 0);
++	/* We have to emulate EXACTLY what we'd get with a good peer
++	 * and a bad password, or else we leak information. */
++	char *response = "407 Proxy Authentication Required";
++	char *reqheader = "Proxy-Authorization";
++	char *respheader = "Proxy-Authenticate";
++	const char *authtoken;
++
++	if (sipmethod == SIP_REGISTER || sipmethod == SIP_SUBSCRIBE) {
++		response = "401 Unauthorized";
++		reqheader = "Authorization";
++		respheader = "WWW-Authenticate";
++	}
++
++	authtoken = get_header(req, reqheader);
++	if (ignore && !ast_strlen_zero(p->randdata) && ast_strlen_zero(authtoken)) {
++		/* This is a retransmitted invite/register/etc, don't reconstruct authentication
++		 * information */
++		if (!reliable) {
++			/* Resend message if this was NOT a reliable delivery.   Otherwise the
++			   retransmission should get it */
++			transmit_response_with_auth(p, response, req, randdata, reliable, respheader, 0);
++			/* Schedule auto destroy in 15 seconds */
++			sip_scheddestroy(p, 15000);
++		}
++	} else if (ast_strlen_zero(p->randdata) || ast_strlen_zero(authtoken)) {
++		/* We have no auth, so issue challenge and request authentication */
++		snprintf(p->randdata, sizeof(p->randdata), "%08x", thread_safe_rand());
++		transmit_response_with_auth(p, response, req, p->randdata, 0, respheader, 0);
++		sip_scheddestroy(p, 15000);
++	} else {
++		char tmp[256], *c = tmp, *z, *nonce = "";
++
++		/* Find their response among the mess that we'r sent for comparison */
++		ast_copy_string(tmp, authtoken, sizeof(tmp));
++
++		while (c) {
++			c = ast_skip_blanks(c);
++			if (!*c) {
++				break;
++			}
++			if (!strncasecmp(c, "nonce=", strlen("nonce="))) {
++				c += strlen("nonce=");
++				if ((*c == '\"')) {
++					nonce = ++c;
++					if ((c = strchr(c,'\"'))) {
++						*c = '\0';
++					}
++				} else {
++					nonce = c;
++					if ((c = strchr(c,','))) {
++						*c = '\0';
++					}
++				}
++				/* Don't need anything beyond the nonce sent. */
++				break;
++			} else if ((z = strchr(c, ' ')) || (z = strchr(c, ','))) {
++				c = z;
++			}
++			if (c) {
++				c++;
++			}
++		}
++		/* Verify nonce from request matches our nonce.  If not, send 401 with new nonce */
++		if (strncasecmp(randdata, nonce, randlen)) {
++			snprintf(randdata, randlen, "%08x", thread_safe_rand());
++			transmit_response_with_auth(p, response, req, randdata, reliable, respheader, 0);
++
++			/* Schedule auto destroy in 15 seconds */
++			sip_scheddestroy(p, 15000);
++		} else {
++			transmit_response(p, "403 Forbidden (Bad auth)", &p->initreq);
++		}
++	}
+ }
+ 
+ /*! \brief  register_verify: Verify registration of user */
+@@ -6736,6 +6807,14 @@
+ 			}
+ 		}
+ 	}
++	if (!peer && global_alwaysauthreject) {
++		/* If we found a peer, we transmit a 100 Trying.  Therefore, if we're
++		 * trying to avoid leaking information, we MUST also transmit the same
++		 * response when we DON'T find a peer. */
++		transmit_response(p, "100 Trying", req);
++		/* Insert a fake delay between the 100 and the subsequent failure. */
++		sched_yield();
++	}
+ 	if (!res) {
+ 		ast_device_state_changed("SIP/%s", peer->name);
+ 	}
+@@ -6756,7 +6835,7 @@
+ 		case -4:	/* ACL error */
+ 		case -5:	/* Peer is not supposed to register with us at all */
+ 			if (global_alwaysauthreject) {
+-				transmit_fake_auth_response(p, &p->initreq, p->randdata, sizeof(p->randdata), 1);
++				transmit_fake_auth_response(p, SIP_REGISTER, &p->initreq, p->randdata, sizeof(p->randdata), 1, ignore);
+ 			} else {
+ 				/* URI not found */
+ 				if (res == -5)
+@@ -10699,7 +10778,7 @@
+ 		if (res < 0) {
+ 			if (res == -4) {
+ 				ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
+-				transmit_fake_auth_response(p, req, p->randdata, sizeof(p->randdata), 1);
++				transmit_fake_auth_response(p, SIP_INVITE, req, p->randdata, sizeof(p->randdata), 1, ignore);
+ 			} else {
+ 				ast_log(LOG_NOTICE, "Failed to authenticate user %s\n", get_header(req, "From"));
+ 				transmit_response_reliable(p, "403 Forbidden", req, 1);
+@@ -11105,7 +11184,7 @@
+ 		if (res < 0) {
+ 			if (res == -4) {
+ 				ast_log(LOG_NOTICE, "Sending fake auth rejection for user %s\n", get_header(req, "From"));
+-				transmit_fake_auth_response(p, req, p->randdata, sizeof(p->randdata), 1);
++				transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, p->randdata, sizeof(p->randdata), 1, ignore);
+ 			} else {
+ 				ast_log(LOG_NOTICE, "Failed to authenticate user %s for SUBSCRIBE\n", get_header(req, "From"));
+ 				if (ignore)
+Index: configs/sip.conf.sample
+===================================================================
+--- a/configs/sip.conf.sample	(revision 183480)
++++ b/configs/sip.conf.sample	(working copy)
+@@ -108,10 +108,12 @@
+ 				; Useful to limit subscriptions to local extensions
+ 				; Settable per peer/user also
+ ;notifyringing = yes		; Notify subscriptions on RINGING state
+-;alwaysauthreject = yes		; When an incoming INVITE or REGISTER is to be rejected,
+-		    		; for any reason, always reject with '401 Unauthorized'
+-				; instead of letting the requester know whether there was
+-				; a matching user or peer for their request
++;alwaysauthreject = yes          ; When an incoming INVITE or REGISTER is to be rejected,
++                                 ; for any reason, always reject with an identical response
++                                 ; equivalent to valid username and invalid password/hash
++                                 ; instead of letting the requester know whether there was
++                                 ; a matching user or peer for their request.  This reduces
++                                 ; the ability of an attacker to scan for valid SIP usernames.
+ ;
+ ; If regcontext is specified, Asterisk will dynamically create and destroy a
+ ; NoOp priority 1 extension for a given peer who registers or unregisters with

Propchange: asterisk/branches/etch/debian/patches/AST-2009-003.dpatch
------------------------------------------------------------------------------
    svn:executable = *