[Kamailio-Users] kamailio 1.4 INVITE authentication bypass

Klaus Darilion klaus.mailinglists at pernau.at
Mon Sep 7 18:07:08 CEST 2009 

maybe the user tried some tricks? e.g.
- spoofing in-dialog requests (Route headers, To-tags ...)
- external domain !isfromlocal() and direct addressing of the gateway

klaus

Asim Riaz schrieb:
> Hi List,
> I am using kamailio 1.4 and authenticating INVITE if the source ip 
> address is not in trusted table but  one of the IP which is not in the 
> trusted table was able to bypass INVITE authentication, . I don’t have 
> SIP traces saved from the called but when that was happening I could see 
> that the INVITE didn’t have auth credentials but caller was able to 
> bypass authentication and was sending calls to my upstream gateway.
> 
> Caller’s IP is definitely not in the trusted table, I am just wondering 
> is it something wrong in my script or similar issue has reported before ;
> 
> Thanks in Advance
> 
> Asim
> 
> route[2] {
>         xlog("L_INFO", "[ROUTE-2] Received initial INVITE from $si\n");
> 
>         setflag(2);
>         setflag(3);
> 
>         if(is_from_local()) {
>                 if(!allow_trusted()) {
>                         xlog("L_INFO", "[ROUTE-2 !] Issuing proxy 
> challenge\n");
> 
>                         if(!proxy_authorize("", "subscriber")) {
>                                 proxy_challenge("", "1");
>                                 exit;
>                         }
> 
>                         else if(!check_from()) {
>                                 xlog("L_INFO", "[ROUTE-2 !] From URI 
> denied\n");
>                                 sl_send_reply("403", "Forbidden");
>                                 exit;
>                         }
>                 }
> 
>                 else {
>                         xlog("L_INFO", "[ROUTE-2 !] From URI domain not 
> local - denied\n");
>                         sl_send_reply("403", "Forbidden");
>                         exit;
>                 }
>         }
>    consume_credentials();
> 
>         xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials valid\n");
> 
>         if(nat_uac_test("1")) {
>                 xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found - 
> fixing up\n");
>                 fix_nated_contact();
>                 force_rport();
>                 setbflag(7);
>         }
> 
> 
>         if(nat_uac_test("8") && search("Content-Type: application/sdp")) {
>                 xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found 
> - fixing up\n");
>                 fix_nated_sdp("10");
>         }
> 
> 
>         # Apply outbound translations and figure out where to route the 
> call.
> 
>         route(4); # this route the calls to upstream gateway.
> }
> 
> 
> These messages i was getting in syslog
> 
> [ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
> 
> ERROR:auth:consume_credentials: no authorized credentials found (error 
> in scripts)
> 
>  [ROUTE-2 ->] Authentication credentials valid
> 
>  [ROUTE-4] Applying outbound translations to: 0022334455
> 
>  [ROUTE-4 ->] Translated RURI user part to: 22334455
> 
>  [ROUTE-4 ->] Gateway election: my_upstream_gateway
> 
>  [ROUTE-5] Accounting translation: sip:0022334455 at my_upstream_gateway
> 
>  [ROUTE-2 ->] Relaying
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users

More information about the sr-users mailing list