[Kamailio-Users] kamailio 1.4 INVITE authentication bypass
Alex Balashov
abalashov at evaristesys.com
Mon Sep 7 12:03:16 CEST 2009
Weird; the code you pasted is unmistakably *my* route script, written
in my exact (older) style, and even with error messages of my rhetorical
character. I think I must've posted it at some point as example code.
Anyway, the reason you are having this problem is that the logic causes
consume_credentials() to be run even if the INVITE is trusted (i.e.
allow_trusted() is true), in which case there is no authentication
challenge (proxy_authorize()) and therefore, no authentication digest
headers.
The solution is to bifurcate the logic into a disjunction:
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
### PUT consume_credentials() HERE INSTEAD ***
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
Asim Riaz wrote:
> Hi List,
> I am using kamailio 1.4 and authenticating INVITE if the source ip
> address is not in trusted table but one of the IP which is not in the
> trusted table was able to bypass INVITE authentication, . I don’t have
> SIP traces saved from the called but when that was happening I could see
> that the INVITE didn’t have auth credentials but caller was able to
> bypass authentication and was sending calls to my upstream gateway.
>
> Caller’s IP is definitely not in the trusted table, I am just wondering
> is it something wrong in my script or similar issue has reported before ;
>
> Thanks in Advance
>
> Asim
>
> route[2] {
> xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
>
> setflag(2);
> setflag(3);
>
> if(is_from_local()) {
> if(!allow_trusted()) {
> xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
> challenge\n");
>
> if(!proxy_authorize("", "subscriber")) {
> proxy_challenge("", "1");
> exit;
> }
>
> else if(!check_from()) {
> xlog("L_INFO", "[ROUTE-2 !] From URI
> denied\n");
> sl_send_reply("403", "Forbidden");
> exit;
> }
> }
>
> else {
> xlog("L_INFO", "[ROUTE-2 !] From URI domain not
> local - denied\n");
> sl_send_reply("403", "Forbidden");
> exit;
> }
> }
> consume_credentials();
>
> xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n");
>
> if(nat_uac_test("1")) {
> xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -
> fixing up\n");
> fix_nated_contact();
> force_rport();
> setbflag(7);
> }
>
>
> if(nat_uac_test("8") && search("Content-Type: application/sdp")) {
> xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
> - fixing up\n");
> fix_nated_sdp("10");
> }
>
>
> # Apply outbound translations and figure out where to route the
> call.
>
> route(4); # this route the calls to upstream gateway.
> }
>
>
> These messages i was getting in syslog
>
> [ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
>
> ERROR:auth:consume_credentials: no authorized credentials found (error
> in scripts)
>
> [ROUTE-2 ->] Authentication credentials valid
>
> [ROUTE-4] Applying outbound translations to: 0022334455
>
> [ROUTE-4 ->] Translated RURI user part to: 22334455
>
> [ROUTE-4 ->] Gateway election: my_upstream_gateway
>
> [ROUTE-5] Accounting translation: sip:0022334455 at my_upstream_gateway
>
> [ROUTE-2 ->] Relaying
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
More information about the sr-users
mailing list