[asterisk-dev] sip.conf realtime - potential logic flaw ?

Andy Davidson andy at nosignal.org
Tue Oct 30 07:41:58 CDT 2007 

Hi,

I was stepping through the way realtime sip.conf works this morning.

I found this in the code (edited significantly for readability).

         /* First check on peer name */
         if (newpeername)
                 var = ast_load_realtime("sippeers", "name",  
newpeername, NULL);
         else if (sin) { /* Then check on IP address */
                 /* First check for fixed IP hosts */
                 if (!var)
                         /* Then check for registered hosts */
                 if (!var)
                         /*No exact match, see if port is insecure,  
try host match first*/


The goal being to populate 'var' with some sip credentials.

Please consider the scenario whereby a number of sip peers relay  
calls through a single asterisk box.  The box is configured to check  
the sending host by IP address, e.g.  a traditional sip.conf block  
might look like this :

[customer5]
type=peer
qualify=yes
host=1.1.1.1
disallow=all
allow=gsm
context=customer5


Lets say I want to provision customers using realtime now.  I put  
this data in a MySQL table, and configure realtime.


Asterisk fires some SQL queries (to get all of them, i temporarily  
removed the select privs from the asterisk user) based on the code at  
the top of this email, akin to :

SELECT * FROM sip_buddies WHERE name = 'customer5'
SELECT * FROM sip_buddies WHERE host = '1.1.1.1' AND port = '5060'
SELECT * FROM sip_buddies WHERE ipaddr = '1.1.1.1' AND port = '5060'
SELECT * FROM sip_buddies WHERE host = '1.1.1.1' ORDER BY host
SELECT * FROM sip_buddies WHERE ipaddr = '1.1.1.1' ORDER BY ipaddr
SELECT * FROM sip_buddies WHERE name = '1.1.1.1'
SELECT * FROM sip_buddies WHERE name = '1.1.1.1'

What I think the flaw is :-

The first query means that a request can match a sip buddy that I do  
not intend it to, as I don't want to authenticate by name, I want to  
"authenticate" by remote-party's IP address.  In this model, someone  
can relay calls if they simply guess my customer's name - which I am  
guessing is the block inside [brackets] in traditional, flatfile  
sip.conf.

My questions :-

  - should we permit people to disable to check by name altogether
  - if we want to authenticate by username, shouldn't we "select *  
from sip_buddies where username='foo'", rather than where user='foo' ?


Many thanks in advance for your thoughts,
Andy

More information about the asterisk-dev mailing list