Bug#446956: CVE-2007-5469 toll fraud and authentication forward attack

Daniel-Constantin Mierla daniel at voice-system.ro
Wed Oct 17 09:19:09 UTC 2007


Hello,

On 10/17/07 11:25, Julien BLACHE wrote:
> Nico Golde <nion at debian.org> wrote:
>
> Hi,
>
>   
>> CVE-2007-5469[0]:
>> | OpenSER 1.2.2 does not verify the Digest authentication header URI
>> | against the Request URI in SIP messages, which allows remote attackers
>> | to use sniffed Digest authentication credentials to call arbitrary
>> | telephone numbers or spoof caller ID (aka "toll fraud and
>> | authentication forward attack").
>>     
>
> I can dig up the patch mentionned on full-disclosure, but it's only
> one part of the solution. The user needs to add the required logic in
> its config to actually "fix" the problem.
>
> Also it's not clear yet whether this also applies to OpenSER < 1.2,
> though the post on full-disclosure seems to imply that all versions
> prior to SVN 20071004 are affected.
>   
Practically, the check can be done in all versions of openser>=1.0.0, 
but a bit more complex. The update in the SVN just eases the check, by 
making the digest URI directly available via a pseudo-variable.

The solution for older versions is:

- write the body if Authorization/Proxy-Authorization header in an AVP 
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another AVP
- use avp_check() to check it against R-URI

The solution of letting the check in config file is to give more liberty 
in performing it. Imagine that the proxies are behind a load balancer, 
and the R-URI is changed by the LB, in that case all auth will fail. The 
admin can add the initial R-URI in a special header at LB and in the 
proxy compare that value with the digest URI. Embedding this check in 
auth modules seemed too rigid.

Cheers,
Daniel

> JB.
>
>   





More information about the Pkg-voip-maintainers mailing list