[SR-Users] INVITE messages not authenticated (default configuration)?
Barry Flanagan
barry at flanagan.ie
Fri Mar 8 18:00:51 CET 2013
On 7 March 2013 22:20, Paul Belanger <paul.belanger at polybeacon.com> wrote:
> Greeting,
>
> Hopefully, I'm understanding the following default kamailio.cfg[1]
> file. Over the weekend, I was attached by SipVicious. Following
> along with the example Daniel[2] create with kamailio and asterisk, I
> have almost the same setup. Rather then storing my SIP profiles in
> Asterisk database, I have then in Kamailio.
>
I also have a test installation originally based on Daniel's example and
have come across the same issue. I also placed a stanza such as the one
below into my [AUTH] route so that INVITES must be authenticated. Given
that in this setup Asterisk is trusting any INVITES from Kamailio it seems
like it should be there for sure.
However, I also found another issue on the Asterisk side related to this. I
raised it on the Asterisk-users list but did not get any replies. Might be
worth a read, and if anyone else here has any idea I would be grateful.
Post is at
http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
Regards,
-Barry
> To my point, the attacker was actually able to by pass any sort of
> authentication, but simply sending an INIVTE message:
>
> ./svmap.py -e 18885551234 kamailio.example.org -m INVITE
>
> Which kamailio, forwarded to Asterisk and because there is no
> additional auth within asterisk, was able to hit the asterisk context
> for getting processed (they did not get out to the real world).
> However, my question is.... why do we not authenticate INVITE
> messages? If my understanding is correct, if would require something
> like the following:
>
> if (is_method("INVITE")) {
> if (!proxy_authorize("$fd", "subscriber")) {
> proxy_challenge("$fd", "0");
> exit;
> }
> }
>
> If so, why not also do it in the default configuration file?
>
> [1]
> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
> [2]
> http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
> --
> Paul Belanger | PolyBeacon, Inc.
> Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
> Github: https://github.com/pabelanger | Twitter:
> https://twitter.com/pabelanger
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20130308/7545bc16/attachment.htm>
More information about the sr-users
mailing list