VoIP and WebRTC
Security Articles and News

Massive DDoS attacks on VoIP Providers and simulated DDoS testing

VoIP.ms and other VoIP providers under DDoS attack

At the time of writing, a major VoIP provider called VoIP.ms is under a distributed denial of service (DDoS) attack since over a week. As a result, they are unable to serve their customers with everyone and their dog complaining that they cannot connect to VoIP.ms’s SIP servers as well as other resources. At the same time, someone claiming to be part of the REvil ransomware group is blackmailing the provider.

Abusing SIP for Cross-Site Scripting? Most definitely!

SIP can be used as an attack vector for cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. This writeup explores how persistent backdoor administrative access was obtained by sending malicious SIP messages to VoIPmonitor GUI.…

SIPVicious OSS v0.3.4 released with exit codes and automation features

We just made SIPVicious OSS v0.3.4 available, so go get it! Or install it via pip:

pip install sipvicious --upgrade

What’s new?

Two main things:

• Exit codes, just like SIPVicious PRO’s
• Integration with Github Actions

This release makes it much easier to use SIPVicious OSS within your CI/CD pipelines and other automation systems. One should, of course, read the documentation on automation for more information. But here’s an example script to get the idea of what can be done:

DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO

We pushed out a video that introduces the basics of SIPVicious PRO by demonstrating some of the attack tools and showing the building blocks for automating security testing of VoIP and WebRTC applications and infrastructure.

What follows is a transcript of the video.

Introduction

Hello, I’m Sandro Gauci from Enable Security. In this video, I’d like to show you what we have been working on, SIPVicious PRO! Let’s start by introducing the tools. SIPVicious PRO is a command-line toolset, meant to test the security of realtime communications, which includes Voice over IP as well as WebRTC infrastructure.

SIPVicious PRO 6.0.0-beta.4 getting close to take-off!

This one’s a bit of a boring update for SIPVicious PRO. That’s because we’re getting to a stable place where flag names and values do not change too often. Which means, we’re getting out of beta rather soon!

However, it is still a major update because we made a significant number of internal changes. For example, we standardized a number of flags to be the same across all tools. We discovered that we can minimize each tool’s flagset by making use of config flags such as --auth-config that allows you to configure behaviours specific to how SIPVicious handles authentication (e.g. selecting a specific algorithm for digest authentication). This allows us to better show those flags that are more commonly used and hide the really custom or advanced ones away until they’re actually needed. And obviously, we fixed lots of bugs.

TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published!

In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security. In this one, I introduce our contributions to the space, i.e. SIPVicious OSS, SIPVicious PRO and the demo server.

OpenSIPIt'01: Lessons learned, STIR/SHAKEN security testing and RFC 8760

Executive summary (TL;DR)

• It was a great event, highly recommended if you’re a SIP developer.
• We developed new STIR/SHAKEN capabilities in SIPVicious PRO.
• And we found some vulnerabilities during the event that got fixed in the process.

What was OpenSIPIt#01 about?

This week the humble security researchers from Enable Security participated in OpenSIPIt#01, an online event run by the community to test interoperability across various independent open-source SIP implementations especially when it comes to new RFCs. Various parties participated, including:

SIPVicious OSS 0.3.3 released with new STDIN and target URL specification

Without further ado, please say hello to SIPVicious OSS 0.3.3!

To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki.

What’s new?

SIP extensions and passwords from standard input

We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature. So, we thought of backporting it to SVOSS (SIPVicious OSS). From now on, one can easily use external tools to generate passwords on the fly for cracking with svcrack, or to generate SIP extensions on the fly for SIP extension enumeration with svwar. To do so, instead of specifying a filename to the --dictionary flag, give it - as its value.

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Executive summary (TL;DR)

We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet. We also reported this upstream so that it was fixed in the official distribution.

VoIPmonitor advisories: buffer overflow leading to RCE + XSS vulnerabilities

VoIPmonitor released updates to both the sniffer component and the web application to address vulnerabilities that your favourite Enable Security researchers identified and reported. The sniffer component had a buffer overflow flaw that we actually abused to run arbitrary code (yes, in 2021!). The web application, on the other hand, was vulnerable to cross-site scripting introduced through SIP messages with XSS payloads - which is pretty bad.

And so, we just released three advisories to provide further details so that organisations using this software can make better informed decisions. The advisories can be found at the usual location: