[VOIPSEC] Breaking SIP for fun and toll fraud
Iñaki Baz Castillo
ibc at aliax.net
Sun Nov 4 17:50:12 CST 2007
I've just now subscribed to this list so cannot reply the original mail and
conserve the thread, I'm sorry.
About the security issue, what about this solution?:
> Step 6) X request the victim to authenticate the re-INVITE from step 4
> using the same Digest Access Authentication received in step 5
>
> X ------------401/407 Authenticate ------------> V
> Digest: realm ="proxy.org", nonce="Proxy-Nonce-T1"
>
>
> Step 7) In this step the victim will do the work for X (Relay Attack)
>
> X <----------- INVITE 190XXXX at proxy.org -------- V
> Digest: realm ="proxy.org", nonce="Proxy-Nonce-T1"
> username= "victim",
> uri="1900XXXX at proxy.org",
> response="the victim computed response"
Proxy.org is the proxy responsible for victim, so victim should authenticate
just to its proxy but no to other UAS. Why should the victim authenticate to
other UAS different of its proxy?
In this case, proxy.org could remove credentials in any message passing
through it with any destination, so the attacker wouldn't get a valid digets.
For example, OpenSer could do it by adding "consume_credentials()" before
relaying the message.
In case of escenarios where the above solution is not valid there is still
other solution in the proxy side: test the "Contact" URI and reject messages
with forbidden URI's in Contact (as proxy URI).
Regards.
--
Iñaki Baz Castillo
More information about the Voipsec
mailing list