[Freeswitch-users] Call Without Authorization

Michael Jerris mike at jerris.com
Mon Mar 3 16:02:06 MSK 2014 

registration and authorization are completely different things.  Are you still using the default passwords from the sample configs?  I suspect this "hacker" actually has the password.


On Mar 1, 2014, at 9:25 PM, Shahzad Bhatti <shahzad.bhatti at g-r-v.com> wrote:

> Hi Everybody,
> i am rephrasing my question that
> 
> i got a legal registered sip account 1001 on freeswitch 
> 
> but some hacker who is not registered on my freeswitch 
> but use same 1001 account and make call.
> 
> i put condition in xml_dialplan to verify and allow only register sip accounts to call 
> as
> 
> <condition field="${sofia_contact */1001 at freeswitchIP}" expression="^[^@]+@(.+)">>
> 
> but hacker find someway to pass the regex through some back whole in my script and make calls
> 
> dialplan xml is 
> http://pastebin.freeswitch.org/22054
> fs_cli log as 
> http://pastebin.freeswitch.org/22050
> xml_cdr is 
> http://pastebin.freeswitch.org/22052
> 
> i also try to generate the scenario but got no success, but now want to know
> how hacker made successful call in the above scenario and what is the best way to prevent from hacking in future
> 
> Regards
> 
> Shahzad Bhatti 
> 
> 
> ---------- Forwarded message ----------
> From: Shahzad Bhatti <shahzad.bhatti at g-r-v.com>
> Date: Fri, Feb 28, 2014 at 11:51 PM
> Subject: Call Without Authorization
> To: freeswitch-users at lists.freeswitch.org
> 
> 
> Hi everybody,
> 
> i create my xml_curl script as that don't allow unregistered calls with the following condition
> <condition field=\"\${sofia_contact */{$sipuser}@$domain}\" expression=\"^[^@]+@(.+)\">
> and its working but yesterday a call is originated from having 
> 
> fs_cli log as 
> http://pastebin.freeswitch.org/22050
> 
> xml_cdr is 
> http://pastebin.freeswitch.org/22052
> 
> dialplan xml is 
> http://pastebin.freeswitch.org/22054
> 
> this is only example that how the hacker breached
> 
> i want to know that 
> 1.  how it is possible that this call is originated as i check condition that allow to call only  registered sip accounts.
> 2.  how to prevent that this would not happened in future. 
> 3. if there any better way to do that do inform me;
> 
> i check about 500 calls placed under the given scenario and many of them also answered
> 
> Regards
> 
> Shahzad Bhatti 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20140303/fa04bb1c/attachment.html

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list