[OpenSER-Users] Security hole in REGISTER's Contact using domain

Hi, Permissions module tries to avoid REGISTER with privileged IP's in Contact (using "register.deny" file) but I have some doubs about this security. I'll play with the example explained in "register.deny" file: --------------------------------------------------------------------------------------- # Suppose that we have a PSTN gateway with IP address 1.2.3.4 # We should prevent REGISTER messages that contain that IP # address in Contact header field because that can cause serious # security hole (a malicious user might be able to register such # a contact and bypass security checks performed by the SIP proxy). # # The following line prevents registering Contacts with IP 1.2.3.4 # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) ALL : "^sip:.*1\.2\.3\.4" --------------------------------------------------------------------------------------- Ok, now a malicious user could just use SipSak to send a malicious REGISTER to call for free to a PSTN number 01666555444: ~# sipsak -U -C sip:01666555444@1.2.3.00004 -a passwd -s sip:200@domain.org Note the "000004" !!!! So this causes a entry in "location" with fields: - username = 200 - domain = domain.org - contact = sip:01666555444@1.2.3.00004 And sure 1.2.3.00004 is a valid IPv4. This is: if the user calls itself (sip:200@domain.org) he'll get a free PSTN call. Oppss... Ok, a solution could be to improve the regular expression by avoiding any number of 0's: ALL : "^sip:.*0*1\.0*2\.0*3\.0*4" Ok, but now the malicious user can register a domain "hacking_my_proxy.com" to resolve to IP 1.2.3.4, and send this REGISTER: ~# sipsak -U -C sip:01666555444@hacking_my_proxy.com -a passwd -s sip:200@domain.org So this will bypass the "register.deny" policy !!!! Note that "register.deny" file says: # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway) Of course, it's not possible to list all hostnames and domain resolving an IP (anyone can register a domain to any IP). So then... is it really valid this "register.deny" security???? Solution for this? ------------------------- - Forbid hostnames or domains in Contact: Ohh, too much anti-RFC 3261 (what would "alice(a)pc33.atlanta.com" think about it? XDDD). - Do a DNS query for the "Contact" during REGISTER: What about if DNS changes later? - Match the resolved IP against IP's in "register.deny" for every INVITE leaving OpenSer. Humm. - Avoid OpenSer using internet DNS system (so "hacking_my_proxy.com" wouldn't be resolved) and allow just secure domains (internal DNS or /etc/hosts): and what about outbound calls? isn't this solution an atrocity? How to handle it? is it not a real security hole? Comments are welcome. Regards. -- Iñaki Baz Castillo