Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
Because digest authentication is a far from self-evident or universal use-case for Kamailio.
Paul Belanger paul.belanger@polybeacon.com wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belanger@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Sent from my Nexus 10, with all the figments of autocorrect that might imply.
Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov abalashov@evaristesys.com wrote:
Because digest authentication is a far from self-evident or universal use-case for Kamailio.
Paul Belanger paul.belanger@polybeacon.com wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
So that is what confuses me. Why do we authenticate only when the user requests it?
What gives you that idea? Most likely, they spoofed an IP.
Paul Belanger paul.belanger@polybeacon.com wrote:
On Thu, Mar 7, 2013 at 5:24 PM, Alex Balashov abalashov@evaristesys.com wrote:
Because digest authentication is a far from self-evident or universal use-case for Kamailio.
Paul Belanger paul.belanger@polybeacon.com wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk,
I
have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk
context
for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require
something
like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1]
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc...
[2]
http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
So that is what confuses me. Why do we authenticate only when the user requests it?
-- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belanger@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Sent from my Nexus 10, with all the figments of autocorrect that might imply.
Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
On 13-03-07 05:30 PM, Alex Balashov wrote:
What gives you that idea? Most likely, they spoofed an IP.
Here is a example INVITE message.
well, it is really a matter of policy (and not software) what to authenticate and opinions on it can differ. I like the pre-configured options in oob, but that may be very well just because I wrote them :) https://github.com/flowroute/kamailio/blob/master/etc/sip-router-oob.cfg (note it is for sip-router flavor and I'm not sure how far the kamailio merging process has digged into config files -- the logic should be apparent though)
I think a simple and reasonable policy is to authenticate *ALL* INVITEs without To-tag (i.e. those that really initiate a call) and ALL REGISTERs that have a served domain in From.
It is also worthwhile checking if the digest username corresponds (equals in the simplest caste) the From URI. Otherwise the proxy server could accept an INVITE authenticated by foo@bar.com in digest header field and still permit john@bar.com in From.
Going more relaxed is certainly unsafe. Challenging more can break interoperability. (some phones are silly not to support authentication for BYE, call-forwarding schemes may lead to unexpected domains in URIs, CANCEL/ACK just don't have it, etc.)
jiri
On 3/7/13 11:20 PM, Paul Belanger wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
7 mar 2013 kl. 23:20 skrev Paul Belanger paul.belanger@polybeacon.com:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
The default configuration file is set up to be userfriendly and easy to start with and learn from, it's not something that should be deployed in production.
To add authentication in Kamailio, you would need some sort of external datastore with accounts, which is not easy to ship with the default config. If you enable auth in the config file, which is documented in there and a database with subscribers, I'm pretty sure it will authenticate properly.
We could also add a PV-based authentication with a static password in the configuration file, like "KAMAILIOADMIN" and password "ABBA4EVER" but it would take five minutes from commit until that password and username would be on top of the list for SIPvicious. Especially since I would tell Sandro about it... ;-)
Now, you did enable authentication and something went wrong. Did Daniel's example rely on Asterisk authentication maybe and you disabled that?
Maybe we should add text to the default config, like in Asterisks README.SERIOUSLY, that not using proper authentication is a bad thing (TM).
/O
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belanger@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 7 March 2013 22:20, Paul Belanger paul.belanger@polybeacon.com wrote:
Greeting,
Hopefully, I'm understanding the following default kamailio.cfg[1] file. Over the weekend, I was attached by SipVicious. Following along with the example Daniel[2] create with kamailio and asterisk, I have almost the same setup. Rather then storing my SIP profiles in Asterisk database, I have then in Kamailio.
I also have a test installation originally based on Daniel's example and have come across the same issue. I also placed a stanza such as the one below into my [AUTH] route so that INVITES must be authenticated. Given that in this setup Asterisk is trusting any INVITES from Kamailio it seems like it should be there for sure.
However, I also found another issue on the Asterisk side related to this. I raised it on the Asterisk-users list but did not get any replies. Might be worth a read, and if anyone else here has any idea I would be grateful. Post is at http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
Regards,
-Barry
To my point, the attacker was actually able to by pass any sort of authentication, but simply sending an INIVTE message:
./svmap.py -e 18885551234 kamailio.example.org -m INVITE
Which kamailio, forwarded to Asterisk and because there is no additional auth within asterisk, was able to hit the asterisk context for getting processed (they did not get out to the real world). However, my question is.... why do we not authenticate INVITE messages? If my understanding is correct, if would require something like the following:
if (is_method("INVITE")) { if (!proxy_authorize("$fd", "subscriber")) { proxy_challenge("$fd", "0"); exit; } }
If so, why not also do it in the default configuration file?
[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc... [2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belanger@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
I think there's two ways of looking at this...
1) That Kamailio is sending all the calls to Asterisk.
2) That the Asterisk is sending the calls through
I think the post Barry placed on Asterisk list identifies a serious issue; that being said the easy way one #1 to help avoid this, IMO,...
A) Set a flag after consume credentials
B) Update logic so that any call not intended for a local destination on that Asterisk box (DID, extension) is then checked for the flag set in A. If flag isn't there, reject call with 403 or something you wish.
If you have a lot of DIDs, you can do a look up in the routing.
-
Alex Balashov -
Barry Flanagan -
Fred Posner -
Jiri Kuthan -
Olle E. Johansson -
Paul Belanger