[OpenSER-Users] Security hole in REGISTER's Contact using domain

Fri Dec 14 11:29:32 CET 2007

El Friday 14 December 2007 11:04:40 Juha Heinanen escribió:
> Iñaki Baz Castillo writes:
>  > > 1) buy pstn gws that accept no hostnames (just its own ip address) in
>  > >   the hostpart of r-uri.  example, cisco ios with later software
>  > >   releases.
>  >
>  > So really isn't there solution just in OpenSer-Registrar side??
>
> this is registrar solution.  you use parmissions module and don;t accept
> registrations where ip address in hostpart of contact belongs to your
> gws.

Yes, but without gateway collaboration you get nothing. Proxy must avoid 
REGISTER with gateway IP in Contact but in case of a "Contact: domain_to_gw" 
the only solution is gw avoiding not IP ruri domain. Proxy can do nothing in 
that case.

>  > > 2) forget the hostpart check all together and instead check the
>  > >    userpart, where you have put something special that the gw then
>  > >    removes.
>  >
>  > So you mean for example:
>  >
>  > register.deny:
>  > --------------------
>  >   ALL : "^sip:.*secret_word_.*@"
>  > ----------------------
>  >
>  > And later, in any call to PSTN OpenSer should add:
>  >
>  >   $ru = "secret_word_" + $ru;
>
> you can use lcr module to add the prefix.

>  > so the uri arriving to the gw becomes:
>  >
>  >   sip:secret_word_01666555444 at gw_ip_or_hostname
>  >
>  > And the gw should just allow calls from OpenSer with urri username
>  > beginning with  "secret_word_" and it should strip it.
>
> that is correct, but the prefix does not need to be secret, just
> something that doesn't normally appear in userparts.
>
>  > Is this what you mean? anyway, a little complex, isn't it?  XDD
>
> why do you think it is complex?  one row in register.deny and one strip
> at the gateway.

I'm trying it with some SIP providers and I see:

  INVITE sip:0034666555444 at sip_provider_domain

and I get in the "183" and "200" a Contact like:

  Contact: <sip:aa+ibc at IP:5090>

So I assume that "aa" is the privileged prefix.

-- 
Iñaki Baz Castillo
ibc at in.ilimit.es