[SR-Users] INVITE messages not authenticated (default configuration)?

Paul Belanger paul.belanger at polybeacon.com
Thu Mar 7 23:20:29 CET 2013


Greeting,

Hopefully, I'm understanding the following default kamailio.cfg[1]
file.  Over the weekend, I was attached by SipVicious.  Following
along with the example Daniel[2] create with kamailio and asterisk, I
have almost the same setup.  Rather then storing my SIP profiles in
Asterisk database, I have then in Kamailio.

To my point, the attacker was actually able to by pass any sort of
authentication, but simply sending an INIVTE message:

./svmap.py -e 18885551234 kamailio.example.org -m INVITE

Which kamailio, forwarded to Asterisk and because there is no
additional auth within asterisk, was able to hit the asterisk context
for getting processed (they did not get out to the real world).
However, my question is.... why do we not authenticate INVITE
messages?  If my understanding is correct, if would require something
like the following:

if (is_method("INVITE")) {
    if (!proxy_authorize("$fd", "subscriber")) {
        proxy_challenge("$fd", "0");
        exit;
    }
}

If so, why not also do it in the default configuration file?

[1] http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
[2] http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
-- 
Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger



More information about the sr-users mailing list