Skip to main content

VoIP and WebRTC
Security Articles and News

Articles and security news about vulnerabilities and attacks affecting VoIP and WebRTC by Enable Security.

Subscribe
a phone receiver being crushed by a hand

    SIPVicious PRO 6.0.0-beta.4 getting close to take-off!

    Published on May 20, 2021 in , , ,

    This one’s a bit of a boring update for SIPVicious PRO. That’s because we’re getting to a stable place where flag names and values do not change too often. Which means, we’re getting out of beta rather soon! However, it is still a major update because we made a significant number of internal changes. For example, we standardized a number of flags to be the same across all tools. We discovered that we can minimize each tool’s flagset by making use of config flags such as --auth-config that allows you to configure behaviours specific to how SIPVicious handles authentication (e.…

    Read more about SIPVicious PRO 6.0.0-beta.4 getting close to take-off!

    TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

    Published on May 18, 2021 in , , , , , , , ,

    TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published! In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security.…

    Read more about TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

    OpenSIPIt'01: Lessons learned, STIR/SHAKEN security testing and RFC 8760

    Published on Apr 16, 2021

    Executive summary (TL;DR) It was a great event, highly recommended if you’re a SIP developer. We developed new STIR/SHAKEN capabilities in SIPVicious PRO. And we found some vulnerabilities during the event that got fixed in the process. What was OpenSIPIt#01 about? This week the humble security researchers from Enable Security participated in OpenSIPIt#01, an online event run by the community to test interoperability across various independent open-source SIP implementations especially when it comes to new RFCs.…

    Read more about OpenSIPIt'01: Lessons learned, STIR/SHAKEN security testing and RFC 8760

    SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

    Published on Mar 25, 2021 in , , ,

    Without further ado, please say hello to SIPVicious OSS 0.3.3! To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki. What’s new? SIP extensions and passwords from standard input We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature.…

    Read more about SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

    Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

    Published on Mar 16, 2021 in , , , , , ,

    Executive summary (TL;DR) We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet.…

    Read more about Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

    VoIPmonitor advisories: buffer overflow leading to RCE + XSS vulnerabilities

    Published on Mar 15, 2021

    VoIPmonitor released updates to both the sniffer component and the web application to address vulnerabilities that your favourite Enable Security researchers identified and reported. The sniffer component had a buffer overflow flaw that we actually abused to run arbitrary code (yes, in 2021!). The web application, on the other hand, was vulnerable to cross-site scripting introduced through SIP messages with XSS payloads - which is pretty bad. And so, we just released three advisories to provide further details so that organisations using this software can make better informed decisions.…

    Read more about VoIPmonitor advisories: buffer overflow leading to RCE + XSS vulnerabilities

    SIPVicious OSS 0.3.2 released with more IPv6 goodness!

    Published on Mar 3, 2021 in , , ,

    The free and opensource version of SIPVicious has been updated so that support for IPv6 is also available in svmap. If you can’t wait to try it out, you can get it at the official repository or by using pip3 install sipvicious --upgrade. So now, with svmap’s IPv6 support, you can do stuff like: sipvicious_svmap -6 -v 2a01:7e01::f03c:92ff:fecf:60a8 INFO:DrinkOrSip:trying to get self ip .. might take a while INFO:root:start your engines INFO:DrinkOrSip:-:61500 -> 2a01:7e01::f03c:92ff:fecf:60a8:5060 -> kamailio (5.…

    Read more about SIPVicious OSS 0.3.2 released with more IPv6 goodness!

    Communication Breakdown / rtcsec also on FreeRTC and SIP Planet

    Published on Feb 12, 2021

    At Enable Security, we often contribute the open source RTC communication in various ways - vulnerability reports, blog posts and analysis. And so, this blog is now aggregated on Free Real-Time Communications (RTC) and SIP planet sites! Now that was a short post :-) Next one will be longer.…

    Read more about Communication Breakdown / rtcsec also on FreeRTC and SIP Planet

    SIPVicious PRO 6.0.0-beta.2 takes STDIN and fixes various bugs

    Published on Feb 9, 2021 in , , ,

    What we’re excited about in this minor update is the addition of a new feature to the SIP cracker in SIPVicious PRO. Basically, it now takes input from external tools through standard input. Why? Because it allows infinite ways of generating potential usernames, passwords and/or SIP extensions when making use of external tools such as the maskprocessor included in the well known password cracker, hashcat. Here’s an animation showing usage of the maskprocessor to generate passwords for the SIP online cracking tool:…

    Read more about SIPVicious PRO 6.0.0-beta.2 takes STDIN and fixes various bugs

    Details about CVE-2020-26262, bypass of Coturn’s default access control protection

    Published on Jan 11, 2021 in , , ,

    Video demonstration The following demonstration shows the security bypass of the default coturn configuration on IPv4: Note Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience. Background: why does coturn have default access control rules in the first place? TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT.…

    Read more about Details about CVE-2020-26262, bypass of Coturn's default access control protection

    Subscribe

    Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

    Interested in our services? Let's collaborate.
    Get in touch

    We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.