VoIP and WebRTC
Security Articles and News
Articles and security news about vulnerabilities and attacks affecting VoIP and WebRTC by Enable Security.
Subscribe
OpenSIPIt'01: Lessons learned, STIR/SHAKEN security testing and RFC 8760
Published on Apr 16, 2021
Executive summary (TL;DR)
- It was a great event, highly recommended if you’re a SIP developer.
- We developed new STIR/SHAKEN capabilities in SIPVicious PRO.
- And we found some vulnerabilities during the event that got fixed in the process.
What was OpenSIPIt#01 about?
This week the humble security researchers from Enable Security participated in OpenSIPIt#01, an online event run by the community to test interoperability across various independent open-source SIP implementations especially when it comes to new RFCs. Various parties participated, including:
…
SIPVicious OSS 0.3.3 released with new STDIN and target URL specification
Published on Mar 25, 2021 in sipvicious oss, security tools, sip security, sipvicious releases
Without further ado, please say hello to SIPVicious OSS 0.3.3!
To install or upgrade run pip install -U sipvicious. For more installation methods, see the wiki.
What’s new?
SIP extensions and passwords from standard input
We have a new feature which seems so simple yet so powerful: STDIN for dictionary input! This works for both svwar and svcrack. It is similar to what we did with SIPVicious PRO, which (surprisingly) proved to be a very popular feature. So, we thought of backporting it to SVOSS (SIPVicious OSS). From now on, one can easily use external tools to generate passwords on the fly for cracking with svcrack, or to generate SIP extensions on the fly for SIP extension enumeration with svwar. To do so, instead of specifying a filename to the --dictionary flag, give it - as its value.
Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution
Published on Mar 16, 2021 in fuzzing, sip security, sip security testing, research, sipvicious pro, voip security, gasoline
Executive summary (TL;DR)
We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet. We also reported this upstream so that it was fixed in the official distribution.
…VoIPmonitor advisories: buffer overflow leading to RCE + XSS vulnerabilities
Published on Mar 15, 2021
VoIPmonitor released updates to both the sniffer component and the web application to address vulnerabilities that your favourite Enable Security researchers identified and reported. The sniffer component had a buffer overflow flaw that we actually abused to run arbitrary code (yes, in 2021!). The web application, on the other hand, was vulnerable to cross-site scripting introduced through SIP messages with XSS payloads - which is pretty bad.
And so, we just released three advisories to provide further details so that organisations using this software can make better informed decisions. The advisories can be found at the usual location:
…SIPVicious OSS 0.3.2 released with more IPv6 goodness!
Published on Mar 3, 2021 in sipvicious oss, security tools, sip security, sipvicious releases
The free and opensource version of SIPVicious has been updated so that support for IPv6 is also available in svmap. If you can’t wait to try it out, you can get it at the official repository or by using pip3 install sipvicious --upgrade.
So now, with svmap’s IPv6 support, you can do stuff like:
sipvicious_svmap -6 -v 2a01:7e01::f03c:92ff:fecf:60a8
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:-:61500 -> 2a01:7e01::f03c:92ff:fecf:60a8:5060 -> kamailio (5.4.4 (x86_64/linux))
INFO:root:we have 1 devices
+-------------------------------------+---------------------------------+
| SIP Device | User Agent |
+=====================================+=================================+
| 2a01:7e01::f03c:92ff:fecf:60a8:5060 | kamailio (5.4.4 (x86_64/linux)) |
+-------------------------------------+---------------------------------+
INFO:root:Total time: 0:00:03.028053
Do note that CIDR scans on IPv6 are unsupported, but of course, one can scan multiple ports for SIP on a target.
…Communication Breakdown / rtcsec also on FreeRTC and SIP Planet
Published on Feb 12, 2021
At Enable Security, we often contribute the open source RTC communication in various ways - vulnerability reports, blog posts and analysis. And so, this blog is now aggregated on Free Real-Time Communications (RTC) and SIP planet sites!
Now that was a short post :-) Next one will be longer.
…SIPVicious PRO 6.0.0-beta.2 takes STDIN and fixes various bugs
Published on Feb 9, 2021 in sip security, sipvicious pro, sip security testing, sipvicious releases
What we’re excited about in this minor update is the addition of a new feature to the SIP cracker in SIPVicious PRO. Basically, it now takes input from external tools through standard input.
Why? Because it allows infinite ways of generating potential usernames, passwords and/or SIP extensions when making use of external tools such as the maskprocessor included in the well known password cracker, hashcat. Here’s an animation showing usage of the maskprocessor to generate passwords for the SIP online cracking tool:
…Details about CVE-2020-26262, bypass of Coturn’s default access control protection
Published on Jan 11, 2021 in webrtc security, bug bounty, research, TURN security
Video demonstration
The following demonstration shows the security bypass of the default coturn configuration on IPv4:
Heads up
Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience.Background: why does coturn have default access control rules in the first place?
TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT. We wrote about this extensively in the post called How we abused Slack’s TURN servers to gain access to internal services. To summarize: from the perspective of a pentester, a TURN server is very similar to a proxy server, allowing relaying of TCP connections and UDP packets. One somewhat obvious problem is that attackers can abuse these TURN servers to connect to network services behind the firewall, such as those on the TURN server itself. To address this problem, coturn prevents connections to loopback IP addresses 127.0.0.1 on IPv4 and [::1] on IPv6. This default protection mechanism has been there since coturn version 4.5.1.0 ‘dan Eider’ which was released back in November 2018.
Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing
Published on Jan 5, 2021 in fuzzing, sip security, sipvicious pro, sip security testing, opensips
Executive summary (TL;DR)
During OpenSIPIt, we crashed sngrep by mistake while briefly fuzzing OpenSIPS. Later on we setup a docker environment to reproduce the issue, identified the actual bugs and reported them upstream. If you want to learn the simple steps to do this, you actually have to read the rest of the post :-)
sngrep crash during the live OpenSIPit event
Last year we participated in OpenSIPIt’s interoperability testing event which was held between the 14th and 15th of September 2020. Amongst the topics discussed were RFC8760 (SHA-digest), STIR/SHAKEN and RFC8599 (push notifications). Whilst trying to stick to the agenda, we couldn’t resist the temptation to fuzz test the servers that were available to us. An instance of OpenSIPS was tested for a very short period of time, however, we did not observe any server crashes.
…SIPVicious PRO beta release contains SIP fuzzer and better automation
Published on Dec 3, 2020 in fuzzing, sip security, sipvicious pro, sip security testing, sipvicious releases
We just made SIPVicious PRO v6.0.0-beta.1 available to our beta testers. This latest release brings a new SIP fuzzer and enhancements for automation to your favourite RTC offensive security toolset. We have the following highlights with this release:
- New fuzzing tools -
sip fuzz method. This used to be in a separate internal tool called gasoline (see our toolset page); this now been polished and has joined the SVPRO toolset; this has been used to identify vulnerabilities in Kamailio (advisory), sngrep (advisory 1 and 2) and other SIP servers. - Tool results provided at the end of a test are now standardized with a JSON schema so that they can easily be parsed or used to produce reports by third-party tools. See the documentation about automation and results.
- Exit codes updated for future compatibility when using it within automation systems. See the documentation about signal handling and exit codes.
- Full IPv6 support across all tools.
- Documentation site is now refreshed, and central to SIPVicious PRO at https://docs.sipvicious.pro.
- And of course, various bug fixes. Full changelog can be seen here.