[VOIPSEC] Breaking SIP for fun and toll fraud

Iñaki Baz Castillo ibc at aliax.net
Sun Nov 4 18:50:12 EST 2007

I've just now subscribed to this list so cannot reply the original mail and 
conserve the thread, I'm sorry.

About the security issue, what about this solution?:

>  Step 6) X request the victim to authenticate the re-INVITE from step 4 
>  using the same Digest Access Authentication received in step 5 
>     X ------------401/407 Authenticate ------------> V
>     Digest: realm ="proxy.org", nonce="Proxy-Nonce-T1"
> Step 7) In this step the victim will do the work for X (Relay Attack)
>    X <----------- INVITE 190XXXX at proxy.org -------- V
>    Digest: realm ="proxy.org", nonce="Proxy-Nonce-T1"
>      username= "victim",
>      uri="1900XXXX at proxy.org",
>      response="the victim computed response"

Proxy.org is the proxy responsible for victim, so victim should authenticate 
just to its proxy but no to other UAS. Why should the victim authenticate to 
other UAS different of its proxy? 

In this case, proxy.org could remove credentials in any message passing 
through it with any destination, so the attacker wouldn't get a valid digets.

For example, OpenSer could do it by adding "consume_credentials()" before 
relaying the message.

In case of escenarios where the above solution is not valid there is still 
other solution in the proxy side: test the "Contact" URI and reject messages 
with forbidden URI's in Contact (as proxy URI).


Iñaki Baz Castillo

More information about the Voipsec mailing list