[OpenSER-Users] Security hole in REGISTER's Contact using domain

Thu Dec 13 22:58:19 CET 2007

Hi, Permissions module tries to avoid REGISTER with privileged IP's in Contact 
(using "register.deny" file) but I have some doubs about this security.

I'll play with the example explained in "register.deny" file:

---------------------------------------------------------------------------------------
# Suppose that we have a PSTN gateway with IP address 1.2.3.4
# We should prevent REGISTER messages that contain that IP
# address in Contact header field because that can cause serious
# security hole (a malicious user might be able to register such
# a contact and bypass security checks performed by the SIP proxy).
#
# The following line prevents registering Contacts with IP 1.2.3.4
# (Don't forget to list also all hostnames that can be used to
#  reach the PSTN gateway)

ALL : "^sip:.*1\.2\.3\.4"
---------------------------------------------------------------------------------------

Ok, now a malicious user could just use SipSak to send a malicious REGISTER 
to call for free to a PSTN number 01666555444:

 ~# sipsak -U -C sip:01666555444 at 1.2.3.00004 -a passwd -s sip:200 at domain.org

Note the "000004" !!!!

So this causes a entry in "location" with fields:
- username = 200
- domain = domain.org
- contact = sip:01666555444 at 1.2.3.00004

And sure 1.2.3.00004 is a valid IPv4.

This is: if the user calls itself (sip:200 at domain.org) he'll get a free PSTN call. Oppss...

Ok, a solution could be to improve the regular expression by avoiding any 
number of 0's:

  ALL : "^sip:.*0*1\.0*2\.0*3\.0*4"

Ok, but now the malicious user can register a domain "hacking_my_proxy.com" 
to resolve to IP 1.2.3.4, and send this REGISTER:

  ~# sipsak -U -C sip:01666555444 at hacking_my_proxy.com -a passwd -s sip:200 at domain.org

So this will bypass the "register.deny" policy !!!!

Note that "register.deny" file says:
# (Don't forget to list also all hostnames that can be used to
#  reach the PSTN gateway)

Of course, it's not possible to list all hostnames and domain resolving an IP (anyone can 
register a domain to any IP).

So then... is it really valid this "register.deny" security????

Solution for this?
-------------------------

- Forbid hostnames or domains in Contact: Ohh, too much anti-RFC 3261 (what would
"alice at pc33.atlanta.com" think about it? XDDD).

- Do a DNS query for the "Contact" during REGISTER: What about if DNS changes later?

- Match the resolved IP against IP's in "register.deny" for every INVITE leaving OpenSer. Humm.

- Avoid OpenSer using internet DNS system (so "hacking_my_proxy.com" wouldn't be resolved) 
and allow just secure domains (internal DNS or /etc/hosts): and what about outbound calls?
isn't this solution an atrocity?

How to handle it? is it not a real security hole?

Comments are welcome. Regards.

-- 
Iñaki Baz Castillo