VoIP and WebRTC
Security Articles and News

SIPVicious PRO incremental update - and Gitlab CI/CD examples

We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update:

• Documentation now includes realistic Gitlab CI/CD examples
• The RTP fuzzer in the experimental version now supports SRTP
• Support for new SIP DoS flood request methods
• The RTP inject tool can now specify the RTP’s SSRC and payload ID
• The SIP password cracking tool now supports closing the connection upon each attempt
• The SIP ping utility supports INVITE

For the boring details, including a list of bug fixes, do read the release notes for v6.0.0-experimental.6 and v6.0.0-beta.6.

Kamailio’s exec module considered harmful

Executive summary (TL;DR)

• The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection.
• By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration.
• We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions.
• Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.
• Kamailio configurations should use a strict allow list or avoid the module altogether.

Introduction to Kamailio’s exec module and its capabilities

The Kamailio SIP server ships with a module for executing external commands from within a Kamailio configuration. The topic of this article is how the exec module may be misused to lead to remote code execution vulnerabilities. The default Kamailio configuration, which is used as a starting point for many live installations, does not make use of this module. On the other hand, we have seen this module being used in various production environments and have, in the past, found some of these installations to be vulnerable.

How to perform a DDoS attack simulation

TL;DR

A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked?

Introduction

In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises. We focus on attacking real-time communications systems because this is an area where DoS attacks can really cause damage. But the instructions and ideas outlined in this text will apply to any system in general that you might need to test. Even if in this article we do not really focus on the defensive side of protecting against DoS, ultimately the goal is to design and implement solutions that actually work for the systems and applications that need to be protected.

RTCSec newsletter is one year old!

Roughly a year ago, we sent out the first RTCSec newsletter and have been doing so every month. Each time, we have covered more and more of our favourite topics, VoIP and WebRTC security. And now, it has become our primary way of keep up to date with what is happening, and our most regular publication too.

If you are not yet subscribed, do so at https://www.enablesecurity.com/subscribe/. The next one is out in a few days!

SIPVicious PRO experimental now supports STIR/SHAKEN and 5 new tools

At the time of writing, we maintained two SIPVicious PRO builds for internal use: a stable build and an experimental build. The v6.0.0-beta.5 stable build includes a large number of fixes, much better (or sane) defaults and full coverage of SRTP throughout the toolset.

The experimental version is where the excitement is. Our members now have access to 5 new tools that we find useful in our work:

• RTP fuzzer
• SIP STIR/SHAKEN fuzzer
• SIP Iterator utility
• TCP flood tool
• SIP server for fuzzing

Each new tool warrants a blog post of its own. But that’s not all, because some of the existent tools have now been blessed with STIR/SHAKEN capabilities and also the ability to use multiple source IP addresses for the SIP flood DoS tool.

We’re hiring a pentester / security researcher

Do you know anyone who would like to join the team at Enable Security as a pentester / security researcher?

We have a remote open position for the right person. We are mainly looking for someone full-time but persons interested in joining us part-time should also apply. More details can be found at the actual hiring page.

Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Executive summary (TL;DR)

Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE!

How I got social engineered into looking at CVE-2022-0778

A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?”

He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans. He added that he hopes that these difficulties raise the bar for exploiting latest OpenSSL CVE.

Killing bugs … one vulnerability report at a time

The story behind our FreeSWITCH advisories and how one sleepless night led to 4 vulnerabilities that needed reporting, plus one more found due to a bug in our own software. We explain how these flaws were discovered, reported, fixed and what we ultimately learned.…

ClueCon: FreeSWITCH Security Advisories

The FreeSWITCH team has just published version v1.10.7 which fixes a number of security issues that we reported. If you use FreeSWITCH, please do upgrade to get these security updates.

To learn about the background work that went into getting these security bugs squashed, follow Sandro’s talk called Killing bugs … one vulnerability report at a time. This will be presented at at ClueCon on Thursday, October 28th.

Here are the titles of each advisory and a very short summary:

Why volumetric DDoS cripples VoIP providers and what we see during pentesting

An epiphany

Until a few days ago, I was of the opinion that simulating volumetric DDoS attacks is not something we should be doing. If you had asked us for such a test, we would have given you a negative answer.

Ironically, we had been unwittingly simulating volumetric DDoS attacks while quietly ignoring our own results. But, it’s time to stop neglecting bandwidth saturation and start giving it the attention that it deserves.