On Mon, May 15, 2017 at 03:06:38PM +0200, Daniel-Constantin Mierla wrote:
This opens the door to hijacking incoming calls to other users on the same kamailio registrar if one knows/guesses other usernames and use those in the To header.
SIP allows third party registrations. From header indicates who performs the registration. To header indicates for who is done the registration. Auth username is the account/private identity associated with From. All these three can be different in SIP. In kamailio, we check that all of them are the same via the parameter options of auth_check().
If you give different public and private identities, then you need to keep the relation between them and check there is a match, otherwise, yes, I have an account on the same service with you, then I can register my phone on your behalf. uri_db module is supposed to offer a database-based solution, but you can use other modules (e.g., sqlops, htable, ...).
Okay, didn't see it as a feature, only as a way to hijack. Never looked at auth_check, but I'm glad someone thought about this.
This realisation is kind of shocking to me.
Contact IETF guys, Alex pointed the reason in the other email ;-)
I'm over it now :)
Thanks for you and Alex's feedback.