[OpenSER-Devel] [ openser-Bugs-1850882 ] [permissions] bug in default "register.deny"

SourceForge.net noreply at sourceforge.net
Tue Jul 8 15:10:28 CEST 2008


Bugs item #1850882, was opened at 2007-12-14 17:26
Message generated for change (Comment added) made by ibc_sf
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Closed
Resolution: Fixed
Priority: 5
Private: No
Submitted By: Iñaki Baz (ibc_sf)
Assigned to: Henning Westerholt (henningw)
Summary: [permissions] bug in default "register.deny"

Initial Comment:
Hi, the file "register.deny" included in:
  http://openser.svn.sourceforge.net/viewvc/openser/trunk/modules/permissions/config/register.deny?view=markup

puts as example a gw with IP 1.2.3.4 and a regular expresion:

  ALL : "^sip:.*1\.2\.3\.4$"

This is obviosly vulnerable because a malicious user could send a REGISTER with:

  Contact: <sip:PSTN_number at 1.2.0003.4>

And IP 1.2.0003.4 is the same as 1.2.3.4 but wouldn't be matched by regular expression.

Because that I propose to set:

  ALL : "^sip:.*0*1\.0*2\.0*3\.0*4$"

to avoid any number of 0's.


And other thing, the phrase:
# (Don't forget to list also all hostnames that can
# be used to reach the PSTN gateway)

This is a false security recommendation since anyone can register a public domain pointing to any IP, so a malicious user could register a domain "blablabla.com" pointing to 1.2.3.4 and this would bypass "register.deny" security.

----------------------------------------------------------------------

>Comment By: Iñaki Baz (ibc_sf)
Date: 2008-07-08 15:10

Message:
Logged In: YES 
user_id=1844020
Originator: YES

It's OK for me. :)
Thanks.

----------------------------------------------------------------------

Comment By: Henning Westerholt (henningw)
Date: 2008-07-08 15:00

Message:
Logged In: YES 
user_id=337916
Originator: NO

Hi Inaki,

correct, ping is more relaxed in this regards. I've added some notes about
the security implications to the file. Please review and re-open when you
still see issues.

Henning

----------------------------------------------------------------------

Comment By: Iñaki Baz (ibc_sf)
Date: 2008-07-08 09:41

Message:
Logged In: YES 
user_id=1844020
Originator: YES

Hi, take a look to this example:

---------
~$ host 217.12.6.29
29.6.12.217.in-addr.arpa domain name pointer rc1.vip.ukl.yahoo.com.

~$ host 217.12.06.29
217.12.06.29 has address 217.12.6.29
Host 217.12.06.29 not found: 3(NXDOMAIN)
Host 217.12.06.29 not found: 3(NXDOMAIN)

~$ ping 217.12.06.29
PING 217.12.06.29 (217.12.6.29) 56(84) bytes of data.
64 bytes from 217.12.6.29: icmp_seq=1 ttl=245 time=69.5 ms
64 bytes from 217.12.6.29: icmp_seq=2 ttl=245 time=67.2 ms
-----------

About my suggestion I just can point you the discussion it was in
OpenSer-users maillist about it some time ago:
  http://openser.org/pipermail/users/2007-December/014853.html

The conclusion was simple: The only and reliable solution to avoid
fraudulent registrations (faked "Contact") is the use of blacklists, as
Klaus suggested:
  http://openser.org/pipermail/users/2007-December/014867.html

There is another way by using "register.deny" but avoiding registration
with a hostname/domain in the "Contact" as Juha suggested:
  http://openser.org/pipermail/users/2007-December/014855.html

But IMHO using "register.deny" (including there IP's but allowing
hostnames/domains) is compeltely a securuty lack.

Balcklists work perfectly for me.

----------------------------------------------------------------------

Comment By: Henning Westerholt (henningw)
Date: 2008-07-07 13:43

Message:
Logged In: YES 
user_id=337916
Originator: NO

Hi Iñaki,

AFAIK resolve 1.2.0003.4 and 1.2.3.4 not to the same name, at least on my
machine.
With regards to the recommendation, do you've a better suggestion?

Cheers,

Henning

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743020&aid=1850882&group_id=139143



More information about the Devel mailing list