Skip to main content

Tags Denial of Service

Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Published on Apr 8, 2022 in , , , , , ,

Executive summary (TL;DR)

Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE!

How I got social engineered into looking at CVE-2022-0778

A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?”

He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans. He added that he hopes that these difficulties raise the bar for exploiting latest OpenSSL CVE.

Read more about Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Killing bugs … one vulnerability report at a time

Published on Oct 29, 2021 in , , ,

Executive summary (TL;DR)

We tell the story behind the latest FreeSWITCH advisories and how it all came together one sleepless night in April 2021 so that we ended up with 4 vulnerabilities that needed reporting. And then, one more vulnerability found due to a bug in our own software, SIPVicious PRO. We explain how these flaws were discovered, reported, fixed and what we ultimately learned through this process.

What is this about?

This article shares the same title with the presentation that I gave at ClueCon 2021, organised by SignalWire - main FreeSWITCH sponsors. The presentation can be watched on Youtube.

Read more about Killing bugs ... one vulnerability report at a time

ClueCon: FreeSWITCH Security Advisories

Published on Oct 25, 2021 in , , ,

The FreeSWITCH team has just published version v1.10.7 which fixes a number of security issues that we reported. If you use FreeSWITCH, please do upgrade to get these security updates.

To learn about the background work that went into getting these security bugs squashed, follow Sandro’s talk called Killing bugs … one vulnerability report at a time. This will be presented at at ClueCon on Thursday, October 28th.

Here are the titles of each advisory and a very short summary:

Read more about ClueCon: FreeSWITCH Security Advisories

FreeSWITCH: denial of service via SIP flooding

Published on Oct 25, 2021 in , , ,

Description

When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. The following excerpt from syslog shows one such instance:

Read more about FreeSWITCH: denial of service via SIP flooding

FreeSWITCH: denial of service via invalid SRTP packets

Published on Oct 25, 2021 in , , ,

TL;DR

When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack.

Description

When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment.

Read more about FreeSWITCH: denial of service via invalid SRTP packets

Why volumetric DDoS cripples VoIP providers and what we see during pentesting

Published on Oct 13, 2021 in ,

An epiphany

Until a few days ago, I was of the opinion that simulating volumetric DDoS attacks is not something we should be doing. If you had asked us for such a test, we would have given you a negative answer.

Ironically, we had been unwittingly simulating volumetric DDoS attacks while quietly ignoring our own results. But, it’s time to stop neglecting bandwidth saturation and start giving it the attention that it deserves.

Read more about Why volumetric DDoS cripples VoIP providers and what we see during pentesting

Massive DDoS attacks on VoIP Providers and simulated DDoS testing

Published on Sep 24, 2021 in ,

VoIP.ms and other VoIP providers under DDoS attack

At the time of writing, a major VoIP provider called VoIP.ms is under a distributed denial of service (DDoS) attack since over a week. As a result, they are unable to serve their customers with everyone and their dog complaining that they cannot connect to VoIP.ms’s SIP servers as well as other resources. At the same time, someone claiming to be part of the REvil ransomware group is blackmailing the provider.

Read more about Massive DDoS attacks on VoIP Providers and simulated DDoS testing

DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO

Published on May 25, 2021 in , , , , , ,

We pushed out a video that introduces the basics of SIPVicious PRO by demonstrating some of the attack tools and showing the building blocks for automating security testing of VoIP and WebRTC applications and infrastructure.

What follows is a transcript of the video.

Introduction

Hello, I’m Sandro Gauci from Enable Security. In this video, I’d like to show you what we have been working on, SIPVicious PRO! Let’s start by introducing the tools. SIPVicious PRO is a command-line toolset, meant to test the security of realtime communications, which includes Voice over IP as well as WebRTC infrastructure.

Read more about DEMO - An overview of the VoIP and RTC offensive security toolset, SIPVicious PRO

TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

Published on May 18, 2021 in , , , , , , , ,

TADSummit is a great event where people from different backgrounds that are somehow involved in communications, contribute in various ways. I, personally, always look forward to see what’s coming up in the next TADSummit event. At the moment, TADSummit Asia presentations are currently being released on a daily basis on the main site. And last week, the presentation that I prepared was published!

In the previous TADSummit, I had presented about why we need to bring an offensive approach to RTC security. In this one, I introduce our contributions to the space, i.e. SIPVicious OSS, SIPVicious PRO and the demo server.

Read more about TADSummit Asia 2021 talk about SIPVicious Pro and the Demo Server

VoIPmonitor: buffer overflow in live sniffer

Published on Mar 15, 2021 in , , , , ,

Description

A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function save_packet_sql is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow. The affected code is:

Read more about VoIPmonitor: buffer overflow in live sniffer

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.