On 7 March 2013 22:20, Paul Belanger <paul.belanger(a)polybeacon.com> wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1]
file. Over the weekend, I was attached by SipVicious. Following
along with the example Daniel[2] create with kamailio and asterisk, I
have almost the same setup. Rather then storing my SIP profiles in
Asterisk database, I have then in Kamailio.
I also have a test installation originally based on Daniel's example and
have come across the same issue. I also placed a stanza such as the one
below into my [AUTH] route so that INVITES must be authenticated. Given
that in this setup Asterisk is trusting any INVITES from Kamailio it seems
like it should be there for sure.
However, I also found another issue on the Asterisk side related to this. I
raised it on the Asterisk-users list but did not get any replies. Might be
worth a read, and if anyone else here has any idea I would be grateful.
Post is at
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
Regards,
-Barry
To my point, the attacker was actually able to by pass
any sort of
authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234
kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no
additional auth within asterisk, was able to hit the asterisk context
for getting processed (they did not get out to the real world).
However, my question is.... why do we not authenticate INVITE
messages? If my understanding is correct, if would require something
like the following:
if (is_method("INVITE")) {
if (!proxy_authorize("$fd", "subscriber")) {
proxy_challenge("$fd", "0");
exit;
}
}
If so, why not also do it in the default configuration file?
[1]
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=et…
[2]
http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
--
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger(a)polybeacon.com | IRC: pabelanger (Freenode)
Github:
https://github.com/pabelanger | Twitter:
https://twitter.com/pabelanger
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users