[OpenSER-Users] Security hole in REGISTER's Contact using domain

Iñaki Baz Castillo ibc at in.ilimit.es
Fri Dec 14 11:59:42 CET 2007 

El Friday 14 December 2007 11:28:10 klaus.mailinglists at pernau.at escribió:
> Hi!

Thanks for so complete and didactic reply ;)


> This is what I do:
>
> 1. use permissions module to:
>  - deny REGISTER with contact which points to IP of gateways by using a
> regexp which also detects leading 0
>  - deny domain names in contact URI. yes, this is not RFC conform and will
> break SMTP style forwarding

Opssss, bob and alice will be very angry with you.


>
> 2. newer openser with blacklist feature:
>  - put all the sensitive IP addresses on the blacklist
>  - if the proxy routes a call by purpose to the gateway (detects PSTN
> call) then the blacklist is not activated
>  - for all other calls the blacklist is activated thus the proxy can not
> send a request to the gateway by mistake.

Nice solution, but:
I want to allow that some SIP domains of OpenSer use their own gateway (maybe 
an Asterisk), and this Asterisk could be behind dynamic ADSL and NAT.
Later when users of that domain makes a PSTN call, my OpenSer looks for "pbx" 
registered user (Asterisk) and sends the INVITE to that location (keeping the 
extension called):

  if call to PSTN number {
	$var(rU_original) = $rU;
	$rU="pbx";
	if (lookup("location")) {
            $rU=$var(rU_original);
            t_relay();
            exit;
         }
  }

So in this case I should play with prefix in username or headers.



> 3. older openser without blacklist feature
>  - either check domain part of RURI in gateway (like Juha told), (make
> sure to reject out-of-dialog requests with pre-laoded route set in
> strict-router syntax which will cause some gateways to use the Route set
> instead of the target URI)
>  - use some secret which is known only to the proxy and the gateway, e.g:
>    - add a certain header which is checked for existence in the gateway
> (works of course only with gateways which allows this feature like
> Asterisk)

>    - do not use a prefix to the RURI as secret as Cisco and Asterisk will
> use the userpart of RURI in the userpart of Contact URI - those the
> secret prefix is visible to the attacker

But this is not a problem if you set:
  ALL : "^sip:\s*secret.*"
in "register.deny".

>  - use certain port for communication with gateway. e.g. configure openser
> to listen on port 6060 too. This port will be blocked by firewall from
> outside - thus SIP client can not send requests to port 6060. In openser,
> when sending a request to the gateway do a
> "force_send_socket("ip:6060")". This causes openser to not use default
> 506 but 6060 as source port (works only with UDP). Then in the gateway
> accept only SIP requests coming from port 6060 (e.g. ip access rules in
> Cisco gateways, iptables with Asterisk). If the proxy sends a request to
> the gateway by mistake (attack) it will send the request from port 5060
> and it can't be sent to the gateway as the firewall blocks.


Really thanks for all!



-- 
Iñaki Baz Castillo
ibc at in.ilimit.es

More information about the sr-users mailing list