Hi, Permissions module tries to avoid REGISTER with privileged IP's in Contact (using "register.deny" file) but I have some doubs about this security.
I'll play with the example explained in "register.deny" file: --------------------------------------------------------------------------------------- # Suppose that we have a PSTN gateway with IP address 1.2.3.4 # We should prevent REGISTER messages that contain that IP # address in Contact header field because that can cause serious # security hole (a malicious user might be able to register such # a contact and bypass security checks performed by the SIP proxy). # # The following line prevents registering Contacts with IP 1.2.3.4 # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) ALL : "^sip:.*1\.2\.3\.4" --------------------------------------------------------------------------------------- Ok, now a malicious user could just use SipSak to send a malicious REGISTER to call for free to a PSTN number 01666555444: ~# sipsak -U -C sip:[EMAIL PROTECTED] -a passwd -s sip:[EMAIL PROTECTED] Note the "000004" !!!! So this causes a entry in "location" with fields: - username = 200 - domain = domain.org - contact = sip:[EMAIL PROTECTED] And sure 1.2.3.00004 is a valid IPv4. This is: if the user calls itself (sip:[EMAIL PROTECTED]) he'll get a free PSTN call. Oppss... Ok, a solution could be to improve the regular expression by avoiding any number of 0's: ALL : "^sip:.*0*1\.0*2\.0*3\.0*4" Ok, but now the malicious user can register a domain "hacking_my_proxy.com" to resolve to IP 1.2.3.4, and send this REGISTER: ~# sipsak -U -C sip:[EMAIL PROTECTED] -a passwd -s sip:[EMAIL PROTECTED] So this will bypass the "register.deny" policy !!!! Note that "register.deny" file says: # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) Of course, it's not possible to list all hostnames and domain resolving an IP (anyone can register a domain to any IP). So then... is it really valid this "register.deny" security???? Solution for this? ------------------------- - Forbid hostnames or domains in Contact: Ohh, too much anti-RFC 3261 (what would "[EMAIL PROTECTED]" think about it? XDDD). - Do a DNS query for the "Contact" during REGISTER: What about if DNS changes later? - Match the resolved IP against IP's in "register.deny" for every INVITE leaving OpenSer. Humm. - Avoid OpenSer using internet DNS system (so "hacking_my_proxy.com" wouldn't be resolved) and allow just secure domains (internal DNS or /etc/hosts): and what about outbound calls? isn't this solution an atrocity? How to handle it? is it not a real security hole? Comments are welcome. Regards. -- Iñaki Baz Castillo _______________________________________________ Users mailing list Users@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/users
