Hi List, I am using kamailio 1.4 and authenticating INVITE if the source ip address is not in trusted table but one of the IP which is not in the trusted table was able to bypass INVITE authentication, . I don’t have SIP traces saved from the called but when that was happening I could see that the INVITE didn’t have auth credentials but caller was able to bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] { xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
setflag(2); setflag(3);
if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxy challenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; }
else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URI denied\n"); sl_send_reply("403", "Forbidden"); exit; } }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain not local - denied\n"); sl_send_reply("403", "Forbidden"); exit; } } consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n");
if(nat_uac_test("1")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found - fixing up\n"); fix_nated_contact(); force_rport(); setbflag(7); }
if(nat_uac_test("8") && search("Content-Type: application/sdp")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found - fixing up\n"); fix_nated_sdp("10"); }
# Apply outbound translations and figure out where to route the call.
route(4); # this route the calls to upstream gateway. }
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
Weird; the code you pasted is unmistakably *my* route script, written in my exact (older) style, and even with error messages of my rhetorical character. I think I must've posted it at some point as example code.
Anyway, the reason you are having this problem is that the logic causes consume_credentials() to be run even if the INVITE is trusted (i.e. allow_trusted() is true), in which case there is no authentication challenge (proxy_authorize()) and therefore, no authentication digest headers.
The solution is to bifurcate the logic into a disjunction:
if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxy challenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; }
else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URI denied\n"); sl_send_reply("403", "Forbidden"); exit; }
### PUT consume_credentials() HERE INSTEAD *** }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain not local - denied\n"); sl_send_reply("403", "Forbidden"); exit; } }
Asim Riaz wrote:
Hi List, I am using kamailio 1.4 and authenticating INVITE if the source ip address is not in trusted table but one of the IP which is not in the trusted table was able to bypass INVITE authentication, . I don’t have SIP traces saved from the called but when that was happening I could see that the INVITE didn’t have auth credentials but caller was able to bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] { xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
setflag(2); setflag(3); if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxychallenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; } else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URIdenied\n"); sl_send_reply("403", "Forbidden"); exit; } }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain notlocal - denied\n"); sl_send_reply("403", "Forbidden"); exit; } } consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n"); if(nat_uac_test("1")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -fixing up\n"); fix_nated_contact(); force_rport(); setbflag(7); }
if(nat_uac_test("8") && search("Content-Type: application/sdp")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
fixing up\n"); fix_nated_sdp("10"); }
# Apply outbound translations and figure out where to route thecall.
route(4); # this route the calls to upstream gateway.}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Hi Alex, I am not worry about this message, "ERROR:auth:consume_credentials: no authorized credentials found (error in scripts)", receivng because of consume_credentials, my problem is the caller wasnt in the trusted table so he should receive challenge from proxy but he was able to bypass authentication as his ip was in trusted table.
if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxy challenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; } any idea? Thanks,
Asim
I'm confused:
Asim Riaz wrote:
my problem is the caller wasnt in the trusted table
... A?
he was able to bypass authentication as his ip was in trusted table.
... B?
Propositions A and B seem to be at contradictory relation to each other.
Hi Alex,
What I was trying to say caller’s IP wasn’t in the Trusted table but he didn’t receive challenge from proxy and was able to bypass authentication like my other trusted users which are in the trusted table.
Thanks,
Asim
The appropriate conclusion is that the permissions module determined that the caller was, in fact, in the trusted table, possibly due to incorrect, ambiguous or wildcard data (subnet matching?).
Asim Riaz wrote:
Hi Alex,
What I was trying to say caller’s IP wasn’t in the Trusted table but he didn’t receive challenge from proxy and was able to bypass authentication like my other trusted users which are in the trusted table.
Thanks,
Asim
Hi Alex,
I am not matching subnets, just single ip addresses and don’t have caller's IP in trusted table.
Thanks, Asim
Asim Riaz wrote:
I am not matching subnets, just single ip addresses and don’t have caller's IP in trusted table.
Well, clearly, some part of the process is failing and the IP address is being matched regardless. Whether this is a bug, a misunderstanding or a mistake on your part is something we have no way of determining without knowing the details - that is, the IP address, all applicable module parameters for the permissions module, and the contents of the trusted table.
It is understandable that you may not wish to share such details on a public list, but, unfortunately this limits the amount of aid that someone can provide. Perhaps if you change the numbers in the IP address(es) but otherwise provide consistent information, we can help.
Hi Alex, here are the details, please let me know if you need more information;'
modparam("permissions", "db_mode", 1) modparam("permissions", "trusted_table", "trusted") modparam("permissions", "db_url", "mysql://openser:openserrw@localhost /openser")
kamctl trusted show +----+----------------+-------+--------------+------+---------+ | id | src_ip | proto | from_pattern | tag | version | +----+----------------+-------+--------------+------+---------+ | 3 | 192.168.1.1 | any | ^sip:.*$ | NULL | NULL | | 4 | 192.168.2.2 | any | ^sip:.*$ | NULL | NULL | | 6 | 192.168.3.3 | any | ^sip:.*$ | NULL | NULL | | 7 | 192.168.4.4 | any | ^sip:.*$ | | NULL | | 8 | 192.168.5.5 | any | ^sip:.*$ | | NULL | | 9 | 192.168.6.6 | any | ^sip:.*$ | | NULL | +----+----------------+-------+--------------+------+---------+
IP address of the caller which was able to bypass INVITE AUTH is e.g 10.10.1.1, completly diffrent in all octects from the ip addresses in my trusted table.
Thanks,
Asim
maybe the user tried some tricks? e.g. - spoofing in-dialog requests (Route headers, To-tags ...) - external domain !isfromlocal() and direct addressing of the gateway
klaus
Asim Riaz schrieb:
Hi List, I am using kamailio 1.4 and authenticating INVITE if the source ip address is not in trusted table but one of the IP which is not in the trusted table was able to bypass INVITE authentication, . I don’t have SIP traces saved from the called but when that was happening I could see that the INVITE didn’t have auth credentials but caller was able to bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] { xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
setflag(2); setflag(3); if(is_from_local()) { if(!allow_trusted()) { xlog("L_INFO", "[ROUTE-2 !] Issuing proxychallenge\n");
if(!proxy_authorize("", "subscriber")) { proxy_challenge("", "1"); exit; } else if(!check_from()) { xlog("L_INFO", "[ROUTE-2 !] From URIdenied\n"); sl_send_reply("403", "Forbidden"); exit; } }
else { xlog("L_INFO", "[ROUTE-2 !] From URI domain notlocal - denied\n"); sl_send_reply("403", "Forbidden"); exit; } } consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n"); if(nat_uac_test("1")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -fixing up\n"); fix_nated_contact(); force_rport(); setbflag(7); }
if(nat_uac_test("8") && search("Content-Type: application/sdp")) { xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
fixing up\n"); fix_nated_sdp("10"); }
# Apply outbound translations and figure out where to route thecall.
route(4); # this route the calls to upstream gateway.}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-
Alex Balashov -
Asim Riaz -
Klaus Darilion