Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] mid_registrar allows registration without authentication in AOR throttling mode (security issue?) #3193

Closed
asolovjov opened this issue Sep 15, 2023 · 4 comments
Closed

[BUG] mid_registrar allows registration without authentication in AOR throttling mode (security issue?) #3193

asolovjov opened this issue Sep 15, 2023 · 4 comments
Assignees
@bogdan-iancu
Labels
invalid stale
Milestone
3.4.6

Comments

@asolovjov
Copy link

OpenSIPS version you are running

version: opensips 3.4.1 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
git revision: 3abd3a265
main.c compiled on 00:00:00 Aug 31 2023 with gcc 11

Describe the bug
In AOR throttling mode, OpenSIPS accepts registration without authentication from the second device if the registration request is sent within the expire time.

To Reproduce
Enable mode 2 and use default mid_registrar config

loadmodule "mid_registrar.so"
modparam("mid_registrar", "mode", 2)
modparam("mid_registrar", "outgoing_expires", 200)
...
route[process_register] {
    xlog("L_INFO", "[$ci : $rm : $fU $tU] :: process_register route");
    force_rport();
    fix_nated_register();
    mid_registrar_save("location");
    $var(mrsave_rc) = $retcode;
    xlog("L_INFO", "[$ci : $rm : $fU $tU] :: mid_registrar_save :: rc: $var(mrsave_rc)");
    switch ($var(mrsave_rc)) {
    case 1:
         $ru = "sip:x.x.x.x:5060";
         t_on_reply("register_reply");
         t_relay();
        break;
    case 2:
        xlog("L_INFO", "[$ci : $rm : $fU $tU] :: absorbing REGISTER");
        break;
    default:
        xlog("L_INFO", "[$ci : $rm : $fU $tU] :: rc: $var(mr_rc) :: failed to save registration");
        sl_send_reply(404, "Not found");
    }
    exit;
}

Send register request from some client. I use sipexer:

REGISTER sip:10.1.1.201:5060 SIP/2.0                                    
Via: SIP/2.0/UDP 10.1.1.216:6091;rport;branch=z9hG4bKSG.bdf6c69f-180f-42d4-b2a9-2871df6123b5
From: <sip:user1@10.1.1.201>;tag=2225fe66-4475-4d4c-bdaf-f94d8b8e40b1
To: <sip:user1@10.1.1.201>
Call-ID: 273c6bdc-d4a4-45f5-9c54-f0bc3624a630
CSeq: 811722 REGISTER                                                                     
Date: Fri, 15 Sep 2023 17:40:04 MSK
Contact: <sip:user1@10.1.1.216:6091>
Expires: 60                        
User-Agent: SIPExer v1.1.0
Max-Forwards: 10                                                                       
Content-Length: 0

Here OpenSIPS forwards all requests to main registrar (which asks for auth) and replies as usual and saves contact to user location table.

        "AORs": [
          {
            "AOR": "user1",
            "Contacts": [
              {
                "Contact": "sip:user1@10.1.1.216:6091",
                "ContactID": "1849994284430844813",
                "Expires": 56,
                "Q": "",
                "Callid": "b6c60173-5e87-4df3-9760-cb053df512b3",
                "Cseq": 483596,
                "User-agent": "SIPExer v1.1.0",
                "Received": "sip:10.1.1.216:6091",
                "State": "CS_NEW",
                "Flags": 0,
                "Cflags": "",
                "Socket": "udp:10.1.1.201:5060",
                "Methods": 4294967295
              }
            ]
          }

Then immedeately send REGISTER with the same user from some other place.

REGISTER sip:10.1.1.201:5060 SIP/2.0
Via: SIP/2.0/UDP 10.1.1.204:6021;rport;branch=z9hG4bKSG.74b4e8e1-ae4d-4bfd-8f69-77beb3787c51
From: <sip:user1@10.1.1.201>;tag=8360da7c-33cf-49c3-a152-3b3cd8ccefb9
To: <sip:user1@10.1.1.201>
Call-ID: 9d242b34-b605-4229-8bea-87560b1b3823
CSeq: 625337 REGISTER
Date: Fri, 15 Sep 2023 14:43:36 UTC
Contact: <sip:user1@10.1.1.204:6021>
Expires: 60
User-Agent: SIPExer v1.1.0
Max-Forwards: 10
Content-Length: 0

mid_registrar_save returns 2 and replies OK without any auth. New contact is added to user location table without auth.

"AOR": "user1",
            "Contacts": [
              {
                "Contact": "sip:user1@10.1.1.216:6091",
                "ContactID": "1849994284430844813",
                "Expires": 35,
                "Q": "",
                "Callid": "8721d3ee-6abf-4bc7-9eaf-0ee45b4ad5ec",
                "Cseq": 57391,
                "User-agent": "SIPExer v1.1.0",
                "Received": "sip:10.1.1.216:6091",
                "State": "CS_NEW",
                "Flags": 0,
                "Cflags": "",
                "Socket": "udp:10.1.1.201:5060",
                "Methods": 4294967295
              },
              {
                "Contact": "sip:user1@10.1.1.204:6021",
                "ContactID": "1849994284430844814",
                "Expires": 40,
                "Q": "",
                "Callid": "9d242b34-b605-4229-8bea-87560b1b3823",
                "Cseq": 625337,
                "User-agent": "SIPExer v1.1.0",
                "Received": "sip:10.1.1.204:6021",
                "State": "CS_NEW",
                "Flags": 0,
                "Cflags": "",
                "Socket": "udp:10.1.1.201:5060",
                "Methods": 4294967295
              }
            ]

Expected behavior

If a new REGISTER comes from another source, should we forward it to the registrar to authenticate it?
Or is the current behaviour expected and I should do something in script?
@asolovjov asolovjov changed the title [BUG] mid_registrar allows registration without authentification in AOR throttling mode (security issue?) [BUG] mid_registrar allows registration without authentication in AOR throttling mode (security issue?) Sep 15, 2023
@bogdan-iancu
Copy link
Member

@asolovjov , the mid_registrar (similar to registrar module) is authentication agnostic - what kind of auth policy (on main server, on mid-reg server) you want to have, you need to script it.
In your case, the main server (behind the mid-registrar) is handling the auth, so it should cover all the cases.

@bogdan-iancu bogdan-iancu added this to the 3.4.2 milestone Sep 26, 2023
@bogdan-iancu bogdan-iancu self-assigned this Sep 26, 2023
@asolovjov
Copy link
Author

@bogdan-iancu Thank you for looking at this issue.
Problem is that when a new REGISTER from another device comes within expire time and we call mid_registrar_save it immediately replies with 200 OK so we can't script anything here, it doesn't make sense to forward it We can use registrar module but then we'll just rewrite the mid_registrar logic in script and it won't be needed at all.
I guess there should be a function similar to is_contact_registered in the registrar module or mid_registrar_save should return some other code so we could decide whether to forward REGISTER.
Just to clarify. This is related only to mode 2 (AOR throttling). In mode 1, mid_registrar works as expected, simply adding a ctid for each new contact, and we forward it to the main registrar.

@github-actions
Copy link

Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.

@github-actions github-actions bot added the stale label Oct 13, 2023
@github-actions GitHub Actions
Copy link

Marking as closed due to lack of progress for more than 30 days. If this issue is still relevant, please re-open it with additional details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bogdan-iancu bogdan-iancu

Labels
invalid stale
Projects
None yet
Milestone
3.4.6
Development

No branches or pull requests
2 participants
@asolovjov @bogdan-iancu