Hi, Permissions module tries to avoid REGISTER with privileged IP's in Contact (using "register.deny" file) but I have some doubs about this security.
I'll play with the example explained in "register.deny" file:
--------------------------------------------------------------------------------------- # Suppose that we have a PSTN gateway with IP address 1.2.3.4 # We should prevent REGISTER messages that contain that IP # address in Contact header field because that can cause serious # security hole (a malicious user might be able to register such # a contact and bypass security checks performed by the SIP proxy). # # The following line prevents registering Contacts with IP 1.2.3.4 # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway)
ALL : "^sip:.*1.2.3.4" ---------------------------------------------------------------------------------------
Ok, now a malicious user could just use SipSak to send a malicious REGISTER to call for free to a PSTN number 01666555444:
~# sipsak -U -C sip:01666555444@1.2.3.00004 -a passwd -s sip:200@domain.org
Note the "000004" !!!!
So this causes a entry in "location" with fields: - username = 200 - domain = domain.org - contact = sip:01666555444@1.2.3.00004
And sure 1.2.3.00004 is a valid IPv4.
This is: if the user calls itself (sip:200@domain.org) he'll get a free PSTN call. Oppss...
Ok, a solution could be to improve the regular expression by avoiding any number of 0's:
ALL : "^sip:.*0*1.0*2.0*3.0*4"
Ok, but now the malicious user can register a domain "hacking_my_proxy.com" to resolve to IP 1.2.3.4, and send this REGISTER:
~# sipsak -U -C sip:01666555444@hacking_my_proxy.com -a passwd -s sip:200@domain.org
So this will bypass the "register.deny" policy !!!!
Note that "register.deny" file says: # (Don't forget to list also all hostnames that can be used to # reach the PSTN gateway)
Of course, it's not possible to list all hostnames and domain resolving an IP (anyone can register a domain to any IP).
So then... is it really valid this "register.deny" security????
Solution for this? -------------------------
- Forbid hostnames or domains in Contact: Ohh, too much anti-RFC 3261 (what would "alice@pc33.atlanta.com" think about it? XDDD).
- Do a DNS query for the "Contact" during REGISTER: What about if DNS changes later?
- Match the resolved IP against IP's in "register.deny" for every INVITE leaving OpenSer. Humm.
- Avoid OpenSer using internet DNS system (so "hacking_my_proxy.com" wouldn't be resolved) and allow just secure domains (internal DNS or /etc/hosts): and what about outbound calls? isn't this solution an atrocity?
How to handle it? is it not a real security hole?
Comments are welcome. Regards.