From: Richard Mudgett Date: Mon, 30 Apr 2018 22:38:58 +0000 (-0500) Subject: AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e01e83d4fc520d7b676663d89cf1016b16e0b803;p=thirdparty%2Fasterisk.git AST-2018-008: Fix enumeration of endpoints from ACL rejected addresses. When endpoint specific ACL rules block a SIP request they respond with a 403 forbidden. However, if an endpoint is not identified then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. * Made endpoint specific ACL rules now respond with a 401 unauthorized which is the same as if an endpoint were not identified. The fix is accomplished by replacing the found endpoint with the artificial endpoint which always fails authentication. ASTERISK-27818 Change-Id: Icb275a54ff8e2df6c671a6d9bda37b5d732b3b32 --- diff --git a/res/res_pjsip/pjsip_distributor.c b/res/res_pjsip/pjsip_distributor.c index 7f512d1bb7..51738170ca 100644 --- a/res/res_pjsip/pjsip_distributor.c +++ b/res/res_pjsip/pjsip_distributor.c @@ -676,6 +676,26 @@ static void check_endpoint(pjsip_rx_data *rdata, struct unidentified_request *un ao2_unlock(unid); } +static int apply_endpoint_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); +static int apply_endpoint_contact_acl(pjsip_rx_data *rdata, struct ast_sip_endpoint *endpoint); + +static void apply_acls(pjsip_rx_data *rdata) +{ + struct ast_sip_endpoint *endpoint; + + /* Is the endpoint allowed with the source or contact address? */ + endpoint = rdata->endpt_info.mod_data[endpoint_mod.id]; + if (endpoint != artificial_endpoint + && (apply_endpoint_acl(rdata, endpoint) + || apply_endpoint_contact_acl(rdata, endpoint))) { + ast_debug(1, "Endpoint '%s' not allowed by ACL\n", + ast_sorcery_object_get_id(endpoint)); + + /* Replace the rdata endpoint with the artificial endpoint. */ + ao2_replace(rdata->endpt_info.mod_data[endpoint_mod.id], artificial_endpoint); + } +} + static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata) { struct ast_sip_endpoint *endpoint; @@ -694,6 +714,7 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata) ao2_unlink(unidentified_requests, unid); ao2_ref(unid, -1); } + apply_acls(rdata); return PJ_FALSE; } @@ -753,6 +774,8 @@ static pj_bool_t endpoint_lookup(pjsip_rx_data *rdata) ast_sip_report_invalid_endpoint(name, rdata); } } + + apply_acls(rdata); return PJ_FALSE; } @@ -836,16 +859,11 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata) ast_assert(endpoint != NULL); - if (endpoint!=artificial_endpoint) { - if (apply_endpoint_acl(rdata, endpoint) || apply_endpoint_contact_acl(rdata, endpoint)) { - if (!is_ack) { - pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 403, NULL, NULL, NULL); - } - return PJ_TRUE; - } + if (is_ack) { + return PJ_FALSE; } - if (!is_ack && ast_sip_requires_authentication(endpoint, rdata)) { + if (ast_sip_requires_authentication(endpoint, rdata)) { pjsip_tx_data *tdata; struct unidentified_request *unid; @@ -881,6 +899,10 @@ static pj_bool_t authenticate(pjsip_rx_data *rdata) return PJ_TRUE; } pjsip_tx_data_dec_ref(tdata); + } else if (endpoint == artificial_endpoint) { + /* Uh. Oh. The artificial endpoint couldn't challenge so block the request. */ + pjsip_endpt_respond_stateless(ast_sip_get_pjsip_endpoint(), rdata, 500, NULL, NULL, NULL); + return PJ_TRUE; } return PJ_FALSE;