We’re sending this out a bit earlier than usual as some of us will be taking some time off soon. See you next month!
In this edition, we cover:
- Our latest presentation for OWASP 2024 Global AppSec.
- An intriguing blog series by Margin Research on synthetic vulnerabilities in Signal-iOS’s WebRTC.
- Updates on new Cisco phone vulnerabilities that won’t be fixed, and a recently addressed Asterisk AMI vulnerability.
- A brief overview of notable presentations from Blackhat, DEF CON, and BSidesLV that might interest the RTCSec newsletter audience.
- And much more!
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
Upcoming presentation - Web Security Experts: Are you overlooking WebRTC vulnerabilities?
We’re preparing a presentation that will be delivered on September 26th at the OWASP 2024 Global AppSec conference in San Francisco.
Title: Web Security Experts: Are you overlooking WebRTC vulnerabilities?
Synopsis:
As the web evolves, so do the complexities of securing it. WebRTC (Web Real-Time Communication) is a powerful technology embedded in every modern web browser, enabling audio, video, and data sharing. While WebRTC offers tremendous advantages for real-time communication, it introduces a unique set of security challenges that many web and API security professionals may overlook.
This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.
Are you planning to be there? Get in touch so that we can connect.
What’s happening?
You Can’t Spell WebRTC Without RCE: Synthetic Vulnerabilities in Signal-iOS’s WebRTC
Margin Research published a series of blog posts titled You Can’t Spell WebRTC Without RCE. For those in the cybersecurity field, it’s easy to see how RTC might be mistaken for RCE.
These posts explore the intentional reintroduction of previously fixed vulnerabilities for educational purposes. Along the way, readers are provided with an in-depth explanation of WebRTC’s internals and complexities. The topics covered include:
- Receiving and Parsing Data
- Removing Mitigations and Injecting Vulnerabilities
- Building a Research Environment
- Triggering the Vulnerabilities
- Starting the Call
- Sending Modified RTCP Messages
- Requesting and Retrieving a Leak
- Triggering the memcpy Function
- Testing the Triggers
- Breaking ASLR
- Leaking the Stack(s)
This research complements Natalie Silvanovich’s work on exploiting Android messaging apps via WebRTC. You can read the blog posts directly:
Hacker Summer Camp 2024: Black Hat, DEF CON, and BSidesLV
The annual hacker events in Las Vegas took place this month, featuring numerous fascinating talks and presentations. Although we couldn’t attend this year, several topics caught our attention. Here are a few highlights, along with our thoughts:
Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap - Alex and Robert from NCC Group discussed a vulnerability in the Wi-Fi chipset of Sonos audio devices that allows full device takeover. This could enable eavesdropping on conversations in the room, among other security risks. Devices with microphones, particularly desktop VoIP phones, are especially vulnerable when fully compromised.
Listen to the Whispers: Web Timing Attacks that Actually Work - James Kettle from Portswigger presented a paper and tools on timing attacks, a vector often considered difficult to exploit. This presentation has practical implications not only for web security but also for real-time communication systems, which aligns with our ongoing work on VoIP and WebRTC security.
Combating Phone Spoofing with STIR/SHAKEN - A BSidesLV Crowd-Sourced Status Quo, Demo & Explanation - This session appears to be worth exploring. The video is available on YouTube.
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls - Gareth Heyes from Portswigger delivered a presentation at DEF CON and Black Hat on the security risks associated with email parsers used by websites, particularly their inconsistencies. This topic is particularly relevant to us, as SIP uses a similar email address format in SIP URIs, which could potentially expose similar vulnerabilities.
Critical security vulnerabilities in Cisco SPA300 or SPA500 IP phone, not getting fixed
An article on the Register caught my eye with the title of Hello? Are you talking on a Cisco SPA300 or SPA500 IP phone? Now’s the time to junk ’em. The reason is that these phones had multiple vulnerabilities that are not getting fixed because these phones are past their end of life. The main 3 vulnerabilities are pretty serious: buffer overflow vulnerabilities that can be exploited by any unauthenticated attacker that could reach the web interface of these phones.
Go read the advisories from Cisco if this concerns you.
Presentations, not on WebRTC security, but WebRTC for distributed p2p
While searching for new YouTube videos on WebRTC security, I found two presentations from different conferences that discussed using WebRTC for distributed peer-to-peer and blockchain applications. Although this isn’t a new concept, it made me wonder: which of the vulnerabilities we frequently cover in this newsletter might also be relevant to these blockchain scenarios?
- Introduction to WebRTC with libp2p - Daniel Norman
- HDwallets, Liquid Auth, and Decentralized Identity | Decipher 2024 Day 1
It’s also fascinating to see how they leverage the technology differently from what we’re used to in online conferencing systems and similar applications. There’s significantly more use of data channels and much less emphasis on media.
As Daniel Norman aptly put it, a recurring theme is: “WebRTC is quite complex.”
Asterisk project fixed a privilege escalation for AMI
The Asterisk open-source PBX project has issued an advisory and security fix for a vulnerability in its Asterisk Management Interface (AMI). This vulnerability was discovered by Niels Galjaard, who found that a low-privileged AMI user could exploit the system to modify Asterisk’s configuration, potentially resulting in remote code execution. The exploit takes advantage of the Originate
action to call the Asterisk SET
application, allowing an attacker to write or download files remotely. AMI has been a frequent source of privilege escalation vulnerabilities, making it an attractive attack vector. This is particularly concerning because some web interfaces that interact with AMI might inadvertently allow the injection of AMI commands by exploiting new line characters. Such a bypass can lead to remote code execution, even when the AMI user is supposed to have restricted permissions.
The advisory, titled “Write=originate, is sufficient permissions for code execution / System() dialplan,” has been addressed by the Asterisk team. Thanks go to the security researcher and the Asterisk team for promptly resolving this issue.
The Matrix React SDK fixed an interesting privacy vulnerability
The matrix-react-sdk, a react-based SDK for integrating a Matrix chat/voip client into a web page, had a vulnerability that allowed a malicious homeserver to manipulate user account data and enable URL previews in end-to-end encrypted rooms. This could expose URLs in encrypted messages to the server. This issue was addressed in version 3.105.0 of the SDK.
Deployments that trust their homeservers or operate within closed federations of trusted servers are not impacted. Users are strongly recommended to upgrade to the patched version, as there are currently no known workarounds for this vulnerability.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.
To subscribe: here