7 Sep
2009
7 Sep
'09
7:50 p.m.
Hi List,
I am using kamailio 1.4 and authenticating INVITE if the source ip address
is not in trusted table but one of the IP which is not in the trusted table
was able to bypass INVITE authentication, . I don’t have SIP traces saved
from the called but when that was happening I could see that the INVITE
didn’t have auth credentials but caller was able to bypass authentication
and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering is
it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] {
xlog("L_INFO", "[ROUTE-2] Received initial INVITE from
$si\n");
setflag(2);
setflag(3);
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials
valid\n");
if(nat_uac_test("1")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -
fixing
up\n");
fix_nated_contact();
force_rport();
setbflag(7);
}
if(nat_uac_test("8") && search("Content-Type:
application/sdp")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
-
fixing up\n");
fix_nated_sdp("10");
}
# Apply outbound translations and figure out where to route the
call.
route(4); # this route the calls to upstream gateway.
}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error in
scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
7 Sep
7 Sep
8:03 p.m.
Weird; the code you pasted is unmistakably *my* route script, written
in my exact (older) style, and even with error messages of my rhetorical
character. I think I must've posted it at some point as example code.
Anyway, the reason you are having this problem is that the logic causes
consume_credentials() to be run even if the INVITE is trusted (i.e.
allow_trusted() is true), in which case there is no authentication
challenge (proxy_authorize()) and therefore, no authentication digest
headers.
The solution is to bifurcate the logic into a disjunction:
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
### PUT consume_credentials() HERE INSTEAD ***
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
Asim Riaz wrote:
Hi List,
I am using kamailio 1.4 and authenticating INVITE if the source ip
address is not in trusted table but one of the IP which is not in the
trusted table was able to bypass INVITE authentication, . I don’t have
SIP traces saved from the called but when that was happening I could see
that the INVITE didn’t have auth credentials but caller was able to
bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering
is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] {
xlog("L_INFO", "[ROUTE-2] Received initial INVITE from
$si\n");
setflag(2);
setflag(3);
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials
valid\n");
if(nat_uac_test("1")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -
fixing up\n");
fix_nated_contact();
force_rport();
setbflag(7);
}
if(nat_uac_test("8") && search("Content-Type:
application/sdp")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
- fixing up\n");
fix_nated_sdp("10");
}
# Apply outbound translations and figure out where to route the
call.
route(4); # this route the calls to upstream gateway.
}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error
in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
8:40 p.m.
Hi Alex,
I am not worry about this message, "ERROR:auth:consume_credentials: no
authorized credentials found (error in scripts)",
receivng because of consume_credentials, my problem is the caller wasnt in
the trusted table so he should receive challenge from proxy but he was able
to bypass authentication as his ip was in trusted table.
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
any idea?
Thanks,
Asim
8:49 p.m.
I'm confused:
Asim Riaz wrote:
my problem is the caller wasnt in the trusted table
... A?
he was able to bypass authentication as his ip was in
trusted table.
... B?
Propositions A and B seem to be at contradictory relation to each other.
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
8:51 p.m.
Hi Alex,
What I was trying to say caller’s IP wasn’t in the Trusted table but he
didn’t receive challenge from proxy and was able to bypass authentication
like my other trusted users which are in the trusted table.
Thanks,
Asim
8:59 p.m.
The appropriate conclusion is that the permissions module determined
that the caller was, in fact, in the trusted table, possibly due to
incorrect, ambiguous or wildcard data (subnet matching?).
Asim Riaz wrote:
Hi Alex,
What I was trying to say caller’s IP wasn’t in the Trusted table but he
didn’t receive challenge from proxy and was able to bypass
authentication like my other trusted users which are in the trusted table.
Thanks,
Asim
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
9:43 p.m.
Hi Alex,
I am not matching subnets, just single ip addresses and don’t have caller's
IP in trusted table.
Thanks,
Asim
10:06 p.m.
Asim Riaz wrote:
I am not matching subnets, just single ip addresses
and don’t have
caller's IP in trusted table.
Well, clearly, some part of the process is failing and the IP address is
being matched regardless. Whether this is a bug, a misunderstanding or
a mistake on your part is something we have no way of determining
without knowing the details - that is, the IP address, all applicable
module parameters for the permissions module, and the contents of the
trusted table.
It is understandable that you may not wish to share such details on a
public list, but, unfortunately this limits the amount of aid that
someone can provide. Perhaps if you change the numbers in the IP
address(es) but otherwise provide consistent information, we can help.
--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775
10:58 p.m.
Hi Alex,
here are the details, please let me know if you need more information;'
modparam("permissions", "db_mode", 1)
modparam("permissions", "trusted_table", "trusted")
modparam("permissions", "db_url",
"mysql://openser:openserrw@localhost
/openser")
kamctl trusted show
+----+----------------+-------+--------------+------+---------+
| id | src_ip | proto | from_pattern | tag | version |
+----+----------------+-------+--------------+------+---------+
| 3 | 192.168.1.1 | any | ^sip:.*$ | NULL | NULL |
| 4 | 192.168.2.2 | any | ^sip:.*$ | NULL | NULL |
| 6 | 192.168.3.3 | any | ^sip:.*$ | NULL | NULL |
| 7 | 192.168.4.4 | any | ^sip:.*$ | | NULL |
| 8 | 192.168.5.5 | any | ^sip:.*$ | | NULL |
| 9 | 192.168.6.6 | any | ^sip:.*$ | | NULL |
+----+----------------+-------+--------------+------+---------+
IP address of the caller which was able to bypass INVITE AUTH is e.g
10.10.1.1,
completly diffrent in all octects from the ip addresses in my trusted table.
Thanks,
Asim
8 Sep
8 Sep
2:07 a.m.
maybe the user tried some tricks? e.g.
- spoofing in-dialog requests (Route headers, To-tags ...)
- external domain !isfromlocal() and direct addressing of the gateway
klaus
Asim Riaz schrieb:
Hi List,
I am using kamailio 1.4 and authenticating INVITE if the source ip
address is not in trusted table but one of the IP which is not in the
trusted table was able to bypass INVITE authentication, . I don’t have
SIP traces saved from the called but when that was happening I could see
that the INVITE didn’t have auth credentials but caller was able to
bypass authentication and was sending calls to my upstream gateway.
Caller’s IP is definitely not in the trusted table, I am just wondering
is it something wrong in my script or similar issue has reported before ;
Thanks in Advance
Asim
route[2] {
xlog("L_INFO", "[ROUTE-2] Received initial INVITE from
$si\n");
setflag(2);
setflag(3);
if(is_from_local()) {
if(!allow_trusted()) {
xlog("L_INFO", "[ROUTE-2 !] Issuing proxy
challenge\n");
if(!proxy_authorize("", "subscriber")) {
proxy_challenge("", "1");
exit;
}
else if(!check_from()) {
xlog("L_INFO", "[ROUTE-2 !] From URI
denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
else {
xlog("L_INFO", "[ROUTE-2 !] From URI domain not
local - denied\n");
sl_send_reply("403", "Forbidden");
exit;
}
}
consume_credentials();
xlog("L_INFO", "[ROUTE-2 ->] Authentication credentials
valid\n");
if(nat_uac_test("1")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 contact found -
fixing up\n");
fix_nated_contact();
force_rport();
setbflag(7);
}
if(nat_uac_test("8") && search("Content-Type:
application/sdp")) {
xlog("L_INFO", "[ROUTE-2 ->] RFC1918 SDP endpoint found
- fixing up\n");
fix_nated_sdp("10");
}
# Apply outbound translations and figure out where to route the
call.
route(4); # this route the calls to upstream gateway.
}
These messages i was getting in syslog
[ROUTE-2] Received initial INVITE from xxx.xxx.xxx.xxx(Caller_IP)
ERROR:auth:consume_credentials: no authorized credentials found (error
in scripts)
[ROUTE-2 ->] Authentication credentials valid
[ROUTE-4] Applying outbound translations to: 0022334455
[ROUTE-4 ->] Translated RURI user part to: 22334455
[ROUTE-4 ->] Gateway election: my_upstream_gateway
[ROUTE-5] Accounting translation: sip:0022334455@my_upstream_gateway
[ROUTE-2 ->] Relaying
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
5614
days inactive
5614
days old
9 comments
3 participants
participants (3)
-
Alex Balashov -
Asim Riaz -
Klaus Darilion