2 Dec
2004
2 Dec
'04
4:11 p.m.
Hi All,
I found an interesting problem. Set up is using xlite, SER 0.8.12 with
digest authentication enabled. I just realized that after I get
registered with account A. Then change the "username" (keep authorization
user to A) in Xlite to someone's SIP account (B). I can make calls using
B's credits while registration I'm using is still A's. Is there a way to
fix this?
In xlite you have parameters:
Username: (use for actual call, pass on to GW (e.g. pstn)
Authorization User: (use for registration)
Password: (use for registration)
2 Dec
2 Dec
4:34 p.m.
I think you can use something like this to make sure digest credentials are valid.
if (method=="REGISTER") {
if (!www_authorize("", "subscriber")) {
www_challenge("",
"0");
break;
};
if (!check_to()) {
sl_send_reply("401",
"Unauthorized");
break;
};
save();
}
--- kcassidy(a)kakelma.mine.nu wrote:
Hi All,
I found an interesting problem. Set up is using xlite, SER 0.8.12 with
digest authentication enabled. I just realized that after I get
registered with account A. Then change the "username" (keep authorization
user to A) in Xlite to someone's SIP account (B). I can make calls using
B's credits while registration I'm using is still A's. Is there a way to
fix this?
In xlite you have parameters:
Username: (use for actual call, pass on to GW (e.g. pstn)
Authorization User: (use for registration)
Password: (use for registration)
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________
Do you Yahoo!?
All your favorites on one personal page � Try My Yahoo!
http://my.yahoo.com
4:39 p.m.
Hi Java,
This only checks the REGISTER method. I think we need something to
check the URI in the INVITE method whether it's fake or not. Just my 2
cents.
P.S. I'm not a SIP expert :)
On Thu, 2 Dec 2004, Java Rockx wrote:
I think you can use something like this to make sure
digest credentials are valid.
if (method=="REGISTER") {
if (!www_authorize("", "subscriber")) {
www_challenge("",
"0");
break;
};
if (!check_to()) {
sl_send_reply("401",
"Unauthorized");
break;
};
save();
}
--- kcassidy(a)kakelma.mine.nu wrote:
Hi All,
I found an interesting problem. Set up is using xlite, SER 0.8.12 with
digest authentication enabled. I just realized that after I get
registered with account A. Then change the "username" (keep authorization
user to A) in Xlite to someone's SIP account (B). I can make calls using
B's credits while registration I'm using is still A's. Is there a way to
fix this?
In xlite you have parameters:
Username: (use for actual call, pass on to GW (e.g. pstn)
Authorization User: (use for registration)
Password: (use for registration)
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________
Do you Yahoo!?
All your favorites on one personal page Try My Yahoo!
http://my.yahoo.com
4:58 p.m.
you can use proxy_authorize() for that -- i think.
--- kcassidy(a)kakelma.mine.nu wrote:
Hi Java,
This only checks the REGISTER method. I think we need something to
check the URI in the INVITE method whether it's fake or not. Just my 2
cents.
P.S. I'm not a SIP expert :)
On Thu, 2 Dec 2004, Java Rockx wrote:
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
I think you can use something like this to make
sure digest credentials are valid.
if (method=="REGISTER") {
if (!www_authorize("", "subscriber")) {
www_challenge("", "0");
break;
};
if (!check_to()) {
sl_send_reply("401", "Unauthorized");
break;
};
save();
}
--- kcassidy(a)kakelma.mine.nu wrote:
Hi All,
I found an interesting problem. Set up is using xlite, SER 0.8.12 with
digest authentication enabled. I just realized that after I get
registered with account A. Then change the "username" (keep authorization
user to A) in Xlite to someone's SIP account (B). I can make calls using
B's credits while registration I'm using is still A's. Is there a way to
fix this?
In xlite you have parameters:
Username: (use for actual call, pass on to GW (e.g. pstn)
Authorization User: (use for registration)
Password: (use for registration)
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
__________________________________
Do you Yahoo!?
All your favorites on one personal page � Try My Yahoo!
http://my.yahoo.com
4:58 p.m.
kcassidy(a)kakelma.mine.nu wrote:
This only checks the REGISTER method. I think we
need something to
check the URI in the INVITE method whether it's fake or not. Just my 2
cents.
if(method == "INVITE" && proxy_authorize(...))
{
if(!check_from())
{
# from-user != authorized user
}
# proceed as usual here...
}
should do it.
Andy
4:03 p.m.
Hi there
how one would check if from!=authorized using RADIUS auth module?
Cheers
!3runo
Andreas Granig wrote:
This only
checks the REGISTER method. I think we need something to
check the URI in the INVITE method whether it's fake or not. Just my
2 cents.
if(method == "INVITE" && proxy_authorize(...))
{
if(!check_from())
{
# from-user != authorized user
}
# proceed as usual here...
}
should do it.
Andy
5:27 p.m.
Hi Andy,
But we can still hijack someone who is registered right?
On Thu, 2 Dec 2004, Andreas Granig wrote:
kcassidy(a)kakelma.mine.nu wrote:
This only checks the REGISTER method. I think
we need something to
check the URI in the INVITE method whether it's fake or not. Just my 2
cents.
if(method == "INVITE" && proxy_authorize(...))
{
if(!check_from())
{
# from-user != authorized user
}
# proceed as usual here...
}
should do it.
Andy
6:37 p.m.
kcassidy(a)kakelma.mine.nu wrote:
But we can still hijack someone who is registered
right?
Don't think so. If you use A's authorization credentials and B's
username (which is inserted into From, isn't it?), then the INVITE would
pass the proxy_authorization(), but will fail to satisfy check_from()
which checks AFAIR the From-user against the username in credentials.
The same applies to REGISTERs, if you check_to() after successfully
passing www_authorize().
Don't know about check_xxx() and Radius, we don't use Radius here.
Andy
4 Dec
4 Dec
12:10 a.m.
In REGISTER messages you have to check To because this is the header
field that contain the SIP URI being registered. The correct way is to
first call www_authorize and then check_to, which would verify if the
usernames in To and digest credentials are the same.
For INVITE messages, call proxy_authorize and then check_from to verify
if the usernames in From header field and digest credentials are the
same. That would prevent people from hijacking identity of someone else.
Jan.
On 02-12 16:37, Andreas Granig wrote:
kcassidy(a)kakelma.mine.nu wrote:
But we can still hijack someone who is
registered right?
Don't think so. If you use A's authorization credentials and B's
username (which is inserted into From, isn't it?), then the INVITE would
pass the proxy_authorization(), but will fail to satisfy check_from()
which checks AFAIR the From-user against the username in credentials.
The same applies to REGISTERs, if you check_to() after successfully
passing www_authorize().
Don't know about check_xxx() and Radius, we don't use Radius here.
Andy
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
7280
days inactive
7281
days old
8 comments
5 participants
participants (5)
-
Andreas Granig -
Bruno Lopes F. Cabral -
Jan Janak -
Java Rockx -
kcassidy@kakelma.mine.nu