Skip to main content

RTC security
Research, talks and tools

We are researchers in cyber-security, continually educating ourselves and developing knowledge and code. By sharing what we learn, we hope to push RTC security forward.

Illustration of a gas mask, papers flying and a chemical flask

Featured research

Abusing SIP
for Cross-site Scripting (XSS)

SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.
Read more »

Abusing VoIPmonitor for Remote Code Execution (RCE)

We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet. We also reported this upstream so that it was fixed in the official distribution.
Read more »

Bypassing Coturn’s default access control protection

By default, Coturn attempts to block relaying to internal services by blocking a number of IP ranges. We found that this was not sufficient and could be bypassed by making use of IPv6 and also 0.0.0.0. We submitted patches upstream so that the project can be fixed and also participated in bug bounties to find out how widespread this problem is.
Read more »

Abusing Slack’s TURN servers to gain control to internal services

Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne.
Read more »

Our Toolbelt

Tools that we developed to help us with our research, penetration testing and security audits. Some of these tools are or will be incorporated into SIPVicious PRO.

SIPVicious PRO Commercial

A professional toolset for testing real-time communications security

SIPVicious OSS Open Source

A set of tools for testing the security of SIP infrastructure

Stunner Internal

STUN and TURN offensive tool featuring proxy abuse, fuzzing and manual testing

Gasoline Internal

Fuzzer for SIP and RTP used to discover vulnerabilities in various SIP solutions

XMPPScanner Internal

XMPP enumeration, DoS security tests and manual testing tool

Connflood Internal

An extremely effective DoS tool that creates TCP connections and keeps them open

Janus Prober Internal

A tool for probing Janus and manual testing

Web root inspector Internal

A web server security analysis tool for finding interesting or rogue files, including backdoors

ES toolkit Internal

Tool for testing software with different configurations in virtual environments

Cert forger Internal

Creates self-signed certificates that have the same certificate details as the original certificate

Simple TLS MITM Internal

A very simple TLS MITM tool, especially useful for SIP MITM tests

TFTP Theft Open Source

Quick bruteforce tool for TFTP servers, useful for attacking provisioning systems

WAFW00F Open Source

Detect web application firewalls