[OpenSER-Users] my small security breach REGISTER

Carsten Bock lists at bock.info
Thu Sep 6 13:05:51 CEST 2007 

Hi Marc,

In OpenSER 1.2, you could add something like 

if ($au != $fU) {
	sl_send_reply("403", "Screening failed");
}

$au = Authorization Username
$fU = Username in the From-SIP-URI

i believe, in former versions of OpenSER there was a function for this,
but i don't remember.

Carsten

Am Donnerstag, den 06.09.2007, 12:39 +0200 schrieb Marc LEURENT:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Even there.. how to deny it with openser!
> Cirpack can do it, for example if I put another a contact name different of my auth name, it replies an error!
> It prevents another person to receive your calls!!
> 
> 
> Look, you have in From and Contact header the user 105
> > From: <sip:105 at sd-7501.dedibox.fr:5060;user=phone>;tag=c0a80101-38c0e7.
> 
> but my user is the 106 user
> > Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr",
> > response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001.
> 
> 
> > #
> > U 82.127.0.79:1045 -> 88.191.45.91:5060
> > REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0.
> > Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420.
> > From: <sip:105 at sd-7501.dedibox.fr:5060;user=phone>;tag=c0a80101-38c0e7.
> > To: <sip:105 at sd-7501.dedibox.fr:5060;user=phone>.
> > Call-ID: 29eb6e9-c0a80101-5-17 at 192.168.95.70.
> > CSeq: 90 REGISTER.
> > Max-Forwards: 70.
> > Expires: 3600.
> > Contact: <sip:105 at 82.127.0.79:1046;user=phone>.
> > Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr",
> > response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001.
> > User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4.
> > Allow-Events: refer,dialog,message-summary,check-sync,talk,hold.
> > Content-Length: 0.
> 
> 
> Carsten Bock a écrit :
> > Hi Marc,
> > 
> > The problem is not the contact, but the From-Header. The From-Header
> > contains the username, which registers. The Contact Header (according to
> > RFC 3261) must be a valid URI, that's all (e.g. some CPE's put
> > sip:<ip-address>:line=xyz in contact).
> > 
> > Carsten
> > 
> > Am Donnerstag, den 06.09.2007, 12:01 +0200 schrieb Marc LEURENT:
> > I have a security matter with my configuration (default one), it's possible to register using login/password and to set anything in the contact field.
> > So if you have an account 106/password, it's possible to be 105 in the location database!
> > 
> > How is it possible to deny that kind of matter..? Thanks
> > 
> > Is it useful to use: method_filtering of the REGISTRAR module
> > Or is it better to so something whith the values below and a compare function??
> > $ct - reference to body of contact header
> > $ar - realm from Authorization or Proxy-Authorization header
> > $au - username from Authorization or Proxy-Authorization header
> > 
> > if ($ct != $au@$ar) {
> > 	sl_send_reply("403", "User and login must be the same");
> > };
> > 
> > Best Regards,
> > 
> > Marc LEURENT
> > 
> > 
> > #
> > U 82.127.0.79:1045 -> 88.191.45.91:5060
> > REGISTER sip:sd-7501.dedibox.fr;user=phone SIP/2.0.
> > Via: SIP/2.0/UDP 82.127.0.79:1046;branch=z9hG4bK5808036470869310420.
> > From: <sip:105 at sd-7501.dedibox.fr:5060;user=phone>;tag=c0a80101-38c0e7.
> > To: <sip:105 at sd-7501.dedibox.fr:5060;user=phone>.
> > Call-ID: 29eb6e9-c0a80101-5-17 at 192.168.95.70.
> > CSeq: 90 REGISTER.
> > Max-Forwards: 70.
> > Expires: 3600.
> > Contact: <sip:105 at 82.127.0.79:1046;user=phone>.
> > Authorization: Digest username="106", realm="sd-7501.dedibox.fr", nonce="46dfceb402cad04812873b855bc50ea65aa99ed5", uri="sip:sd-7501.dedibox.fr",
> > response="7dca83fd358a9aea3a963f4a71ea5c9e", algorithm=MD5, qop=auth, cnonce="38c102", nc=00000001.
> > User-Agent: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4.
> > Allow-Events: refer,dialog,message-summary,check-sync,talk,hold.
> > Content-Length: 0.
> > .
> > 
> > 
> >         AOR:: 105
> >                 Contact:: sip:105 at 82.127.0.79:1046;user=phone Q=
> >                         Expires:: 194
> >                         Callid:: 29eb6e9-c0a80101-5-17 at 192.168.95.70
> >                         Cseq:: 92
> >                         User-agent:: THOMSON ST2030 hw0 fw1.56 00-0E-50-4E-AF-C4
> >                         Received:: sip:82.127.0.79:1045
> >                         State:: CS_SYNC
> >                         Flags:: 0
> >                         Cflag:: 192
> >                         Socket:: udp:88.191.45.91:5060
> >                         Methods:: 4294967295
> > 
> >>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFG39j0qjpLE0HiOBYRAlmQAJoDVJpStaoD/9SwcyJ3Yg27S1k1VwCgo4RD
> oiS5S+tLQB/Pwqt6hOpkyxY=
> =/x6c
> -----END PGP SIGNATURE-----

More information about the sr-users mailing list