[SR-Users] INVITE messages not authenticated (default configuration)?

Fred Posner fred at teamforrest.com
Fri Mar 8 18:28:10 CET 2013


I think there's two ways of looking at this...

1) That Kamailio is sending all the calls to Asterisk.

2) That the Asterisk is sending the calls through

I think the post Barry placed on Asterisk list identifies a serious 
issue; that being said the easy way one #1 to help avoid this, IMO,...

A) Set a flag after consume credentials

B) Update logic so that any call not intended for a local destination on 
that Asterisk box (DID, extension) is then checked for the flag set in 
A. If flag isn't there, reject call with 403 or something you wish.

If you have a lot of DIDs, you can do a look up in the routing.

-- 
fred
http://qxork.com

On 3/8/13 12:00 PM, Barry Flanagan wrote:
> On 7 March 2013 22:20, Paul Belanger <paul.belanger at polybeacon.com
> <mailto:paul.belanger at polybeacon.com>> wrote:
>
>     Greeting,
>
>     Hopefully, I'm understanding the following default kamailio.cfg[1]
>     file.  Over the weekend, I was attached by SipVicious.  Following
>     along with the example Daniel[2] create with kamailio and asterisk, I
>     have almost the same setup.  Rather then storing my SIP profiles in
>     Asterisk database, I have then in Kamailio.
>
>
> I also have a test installation originally based on Daniel's example and
> have come across the same issue. I also placed a stanza such as the one
> below into my [AUTH] route so that INVITES must be authenticated. Given
> that in this setup Asterisk is trusting any INVITES from Kamailio it
> seems like it should be there for sure.
>
> However, I also found another issue on the Asterisk side related to
> this. I raised it on the Asterisk-users list but did not get any
> replies. Might be worth a read, and if anyone else here has any idea I
> would be grateful. Post is at
> http://lists.digium.com/pipermail/asterisk-users/2013-February/277633.html
>
> Regards,
>
> -Barry
>
>
>
>     To my point, the attacker was actually able to by pass any sort of
>     authentication, but simply sending an INIVTE message:
>
>     ./svmap.py -e 18885551234 kamailio.example.org
>     <http://kamailio.example.org> -m INVITE
>
>     Which kamailio, forwarded to Asterisk and because there is no
>     additional auth within asterisk, was able to hit the asterisk context
>     for getting processed (they did not get out to the real world).
>     However, my question is.... why do we not authenticate INVITE
>     messages?  If my understanding is correct, if would require something
>     like the following:
>
>     if (is_method("INVITE")) {
>          if (!proxy_authorize("$fd", "subscriber")) {
>              proxy_challenge("$fd", "0");
>              exit;
>          }
>     }
>
>     If so, why not also do it in the default configuration file?
>
>     [1]
>     http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=blob_plain;f=etc/kamailio.cfg;hb=HEAD
>     [2]
>     http://kb.asipto.com/asterisk:realtime:kamailio-3.3.x-asterisk-10.7.0-astdb
>     --
>     Paul Belanger | PolyBeacon, Inc.
>     Jabber: paul.belanger at polybeacon.com
>     <mailto:paul.belanger at polybeacon.com> | IRC: pabelanger (Freenode)
>     Github: https://github.com/pabelanger | Twitter:
>     https://twitter.com/pabelanger
>




More information about the sr-users mailing list