Posted: Tue May 05, 2009 6:19 pm Post subject: [asterisk-dev] [Code Review] IAX REGAUTH loop
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://reviewboard.digium.com/r/245/
-----------------------------------------------------------
Review request for Asterisk Developers and Tilghman Lesher.
Summary
-------
If an IAX2 device attempts to register with an invalid username, (one that does not exist in iax.conf), then Asterisk sends a REGAUTH containing a random MD5 or RSA challenge in response. If the device answers the fake challenge request then Asterisk sends another REGAUTH rather than terminating the registration. This starts a loop.
A side affect of this is that it spams the cli with notices that no registration was found for the peer. [Apr 9 01:22:20] NOTICE[24066]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
Solution: If the username does not exist in iax.conf go ahead and send the random challenge. If the device using the nonexistent username responds to the challenge, send an AUTHREJ to terminate the registration.
Posted: Tue May 05, 2009 10:21 pm Post subject: [asterisk-dev] [Code Review] IAX REGAUTH loop
On 6/05/2009 6:52 a.m., David Vossel wrote:
Quote:
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://reviewboard.digium.com/r/245/
-----------------------------------------------------------
Review request for Asterisk Developers and Tilghman Lesher.
Summary
-------
If an IAX2 device attempts to register with an invalid username, (one that does not exist in iax.conf), then Asterisk sends a REGAUTH containing a random MD5 or RSA challenge in response. If the device answers the fake challenge request then Asterisk sends another REGAUTH rather than terminating the registration. This starts a loop.
A side affect of this is that it spams the cli with notices that no registration was found for the peer. [Apr 9 01:22:20] NOTICE[24066]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
Solution: If the username does not exist in iax.conf go ahead and send the random challenge. If the device using the nonexistent username responds to the challenge, send an AUTHREJ to terminate the registration.
Am I right in assuming that this is the same response that would be
provided if the password was wrong but username correct? Just thinking
about account harvesting
--
Kind Regards,
Matt Riddell
Director
_______________________________________________
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum