Up to Discussions in OpenSBC

This Question is Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
4 Replies Last post: Jul 7, 2008 11:54 AM by cam100  
Click to view cam100's profile  
cam100
8 posts since
Jun 10, 2008

Jun 24, 2008 1:32 PM

handling of escaped hex characters in SIP message

Hello,

we started our internal interop test with several soft clients and hard phones using the SBC in B2BUA upper registration mode. We detected a problem with feature Activation / Deactivation and Interoggation on some clients.

We would like to activate / deactivate a call forwarding in the softswitch. The activation is done by dialing

*21*123456789# -> the invite coming from the looks as follows: To: <sip:*21*199034135525521%23@sip.mydomain.net>

I would expect now that the SBC just preserves the %23 and passes it unchanged to the softswitch but thebox changes the string and sends the following off to the switch:

To: . The switch is unable to handle this string and returns a "404 Not Found".

The same happens if we try to do a deactivation - there we dial #21# , the SBC receives a %2321%23@sip.mydomain.net and changes the string to something like
%2525252321%25252523@sip.softswitch.net

Is there any way to preserve the Hex from being replaced ? Is a B2BUA Route the right way to go ?

I' m sure that I have seen a document which explains routes and pattern matching in detail but cannot find it again. Any help is highly appreciated even a link to the document would help.

Regards,

Andre
Click to view joegen's profile  
joegen
87 posts since
Apr 28, 2007
1. Jun 24, 2008 10:11 PM in response to: cam100
Re: handling of escaped hex characters in SIP message
Hi Andre,

Can you send me a Level 5 Log of the call off-list. I'd like to know where OpenSBC exactly decides to unescape it. My e-mail address is joegen@opensipstack.org. Wireshark dump is also a desirable addition to the log.

Joegen

cam100 wrote:
Hello,

we started our internal interop test with several soft clients and hard phones using the SBC in B2BUA upper registration mode. We detected a problem with feature Activation / Deactivation and Interoggation on some clients.

We would like to activate / deactivate a call forwarding in the softswitch. The activation is done by dialing

*21*123456789# -> the invite coming from the looks as follows: To: <sip:*21*199034135525521%23@sip.mydomain.net>

I would expect now that the SBC just preserves the %23 and passes it unchanged to the softswitch but thebox changes the string and sends the following off to the switch:

To: . The switch is unable to handle this string and returns a "404 Not Found".

The same happens if we try to do a deactivation - there we dial #21# , the SBC receives a %2321%23@sip.mydomain.net and changes the string to something like
%2525252321%25252523@sip.softswitch.net

Is there any way to preserve the Hex from being replaced ? Is a B2BUA Route the right way to go ?

I' m sure that I have seen a document which explains routes and pattern matching in detail but cannot find it again. Any help is highly appreciated even a link to the document would help.

Regards,

Andre
Click to view cam100's profile  
cam100
8 posts since
Jun 10, 2008
2. Jul 5, 2008 4:40 AM in response to: joegen
Re: handling of escaped hex characters in SIP message
Hello Joegen,


I have send you the traces offline. Beside that, I did some more investigations and (hopefully) found the root cause for the problem. The safeChars list in opensipstack/src/ParserTools.cxx does not contain the "%". Therefore, an "%" is escaped everytime the message goes through this function. After adding the "%" to the list of safe chars, the problem disappears and an invite send in the form :


%2343%23@domain.tld is not changed anymore.


I would appreciate if you could check the impact of this change to the remaining code - if there is no impact, it would be great if you would incorporate it.


const char * safeChars = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789$-_.!*'(),+#";

changed to


const char * safeChars = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789$-_.!*'(),+#%";


Regards,


Andre

Click to view joegen's profile  
joegen
87 posts since
Apr 28, 2007
3. Jul 6, 2008 9:37 PM in response to: cam100
Re: handling of escaped hex characters in SIP message
Andre,

Thanks for the logs you sent off list. As for inserting "%" character in the safeChars list, I wish it is as simple as that. The percent character really needs to be escaped if the URI is not already in its escaped form. "%25" is the escaped for of "%" character so it's just right for it not to be there. The problem is really double escaping. I have decided that it wasn't a correct decision to automatically escape SIPURI bacause there is really no way for the lower subsystem to know when it is already double escaping. At least there is no light weight approach to it.

I have removed SIPURI auto-escaping feature in CVS. The side-effect of this is that implementors need to decide for themselves when to unescape components of a URI. Please try it and let me know.

Joegen

cam100 wrote:
Hello Joegen,

I have send you the traces offline. Beside that, I did some more investigations and (hopefully) found the root cause for the problem. The safeChars list in opensipstack/src/ParserTools.cxx does not contain the "%". Therefore, an "%" is escaped everytime the message goes through this function. After adding the "%" to the list of safe chars, the problem disappears and an invite send in the form :

%2343%23@domain.tld is not changed anymore.

I would appreciate if you could check the impact of this change to the remaining code - if there is no impact, it would be great if you would incorporate it.

const char * safeChars = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789$-_.!*'(),+#";

changed to

const char * safeChars = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789$-_.!*'(),+#%";

Regards,

Andre
Click to view cam100's profile  
cam100
8 posts since
Jun 10, 2008
4. Jul 7, 2008 11:57 AM in response to: joegen
Re: handling of escaped hex characters in SIP message
Hello Joegen,

I compiled the SBC from the latest CVS version again - it works now. Many thanks.

But I still have questions. After the code change, the automatic SIPURI escape does not occur anymore and we leave the decision with the implementer- but how can one detect whether escaping is needed or not ? With not escaping the SIPURI anymore, do we create a possible security issue ? I thought about it the whole afternoon but could not find a possible approach. My problem is that there are too many variations and false positives in the pattern.

I referred to the RFC2396 again and read that an "%" character always has the preserved purpose of being the escape indicatior - I concluded therefore that the client application which receives an "%" character in the data part must do the escaping already (2.4.2. When to Escape and Unescape). If we trust it, we would be able to add the "%" to the list of safeChars - but I see a security and likely interoperabilty problem here.

My other idea was to leave the decision what to escape or not with the operator. An operator knows about special patterns which are used in his network - such as:

43 or

#43#.

What if a configuration option is present (even in the sourcecode, the information must be entered before compiling) where the operator can add preserved patterns ? (e.g. %2343%23 ) It can still cause false positives, but I think this chance is relatively low. We could then leave the automatic escape enabled and protect the SBC from being attacked in the SIPStack Code already. We would also solve the double escaping issue because the ParserTools would not touch our preserved pattern anymore.

What do you think ?

Regards,

Andre

Actions

More Like This