Skip to main content

Tags Security Advisory

VoIPmonitor: static builds lack memory corruption protections

Published on Mar 15, 2021 in , , , ,

Description

The binaries available for download at https://www.voipmonitor.org/download are built without any memory corruption protection in place. The following is output from the tool hardening-check:

hardening-check voipmonitor:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: unknown, no -fcf-protection instructions found!

When stack protection together with Fortify Source and other protection mechanisms are in place, exploitation of memory corruption vulnerabilities normally results in a program crash instead of leading to remote code execution. Most modern compilation systems create executable binaries with these features built-in by default. When these features are not used, attackers may easily exploit memory corruption vulnerabilities, such as buffer overflows, to run arbitrary code. In this advisory we will demonstrate how a buffer overflow reported in a separate advisory, could be abused to run arbitrary code because of the lack of standard memory corruption protection in the static build releases of VoIPmonitor.

Read more about VoIPmonitor: static builds lack memory corruption protections

VoIPmonitor: cross-site scripting via SIP messages

Published on Mar 15, 2021 in , , ,

Description

Multiple Cross-Site Scripting vulnerabilities were observed in the VoIPmonitor WEB GUI. These vulnerabilities can be exploited by sending SIP messages towards hosts monitored by VoIPmonitor. During our tests, the following areas were affected:

Read more about VoIPmonitor: cross-site scripting via SIP messages

VoIPmonitor: buffer overflow in live sniffer

Published on Mar 15, 2021 in , , , , ,

Description

A buffer overflow was identified in the VoIPmonitor live sniffer feature. The description variable in the function save_packet_sql is defined as a fixed length array of 1024 characters. The description is set to the value of a SIP request or response line. By setting a long request or response line VoIPmonitor will trigger a buffer overflow. The affected code is:

Read more about VoIPmonitor: buffer overflow in live sniffer

coturn: access control bypass via loopback peer address

Published on Jan 11, 2021 in , , ,

Description

By default coturn does not allow peers to connect and relay packets to loopback addresses in the range of 127.x.x.x. However, it was observed that when sending a CONNECT request with the XOR-PEER-ADDRESS value of 0.0.0.0, a successful response was received and subsequently, CONNECTIONBIND also received a successful response. Coturn then was able to relay packets to local network services.

Read more about coturn: access control bypass via loopback peer address

sngrep: stack overflow via malformed SDP connection address

Published on Nov 20, 2020 in , ,

Description

When sending a specially crafted SIP message with a malformed SDP connection address, sngrep crashes due to a stack overflow. The following backtrace was generated during our tests:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (
    action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82064 "stack smashing detected")
    at fortify_fail.c:26
#4  0x00007ffff7dfa986 in __stack_chk_fail () at stack_chk_fail.c:24
#5  0x0000555555560651 in sip_parse_msg_media (msg=0x7ffff0046c60, 
    payload=<optimized out>) at sip.c:740
#6  0x3131313131313131 in ?? ()
#7  0x3131313131313131 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Read more about sngrep: stack overflow via malformed SDP connection address

sngrep: buffer overflow via malformed SDP media type

Published on Nov 20, 2020 in , , ,

Description

When sending a specially crafted SIP message with a malformed SDP media type, sngrep crashes due to a buffer overflow. The following backtrace was generated during our tests:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7ced859 in __GI_abort () at abort.c:79
#2  0x00007ffff7d583ee in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7ffff7e8207c "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff7dfa9ba in __GI___fortify_fail (
    msg=msg@entry=0x7ffff7e82012 "buffer overflow detected") at fortify_fail.c:26
#4  0x00007ffff7df9256 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007ffff7df8b36 in __strcpy_chk (dest=0x7ffff00306f2 "", 
    src=0x7ffff79fcad1 'A' <repeats 200 times>..., destlen=destlen@entry=15)
    at strcpy_chk.c:30
#6  0x0000555555563f72 in strcpy (__src=<optimized out>, __dest=<optimized out>)
    at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:90
#7  media_set_type (media=<optimized out>, type=<optimized out>) at media.c:65
#8  0x0000000000000000 in ?? ()

The issue was originally discovered during OpenSIPIt; tracked down and analyzed for severity and impact later.

Read more about sngrep: buffer overflow via malformed SDP media type

Asterisk: crash via INVITE flood over TCP

Published on Nov 6, 2020 in , , ,

Description

When an Asterisk instance is flooded with INVITE messages over TCP, it was observed that after some time Asterisk crashes due to a segmentation fault. The backtrace generated after the crash is:

Read more about Asterisk: crash via INVITE flood over TCP

Kamailio: header smuggling via remove_hf bypass

Published on Sep 1, 2020 in , ,

Description

Kamailio is often configured to remove certain special internal SIP headers from untrusted traffic to protect against header injection attacks by making use of the remove_hf function from the Kamailio textops module. These SIP headers were typically set through Kamailio which are then used downstream, e.g. by a media service based on Asterisk, to affect internal business logic decisions. During our tests and research, we noticed that the removal of these headers can be bypassed by injecting whitespace characters at the end of the header name.

Read more about Kamailio: header smuggling via remove_hf bypass

Kamailio: off-by-one heap overflow

Published on Mar 19, 2018 in , , , ,

Description

A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap overflow.

Impact

Abuse of this vulnerability leads to denial of service in Kamailio. Further research may show that exploitation leads to remote code execution.

Read more about Kamailio: off-by-one heap overflow

Asterisk PJSIP: crash via invalid SDP fmtp attribute

Published on Feb 22, 2018 in , , , ,

Description

A specially crafted SDP message body with an invalid fmtp attribute causes a segmentation fault in asterisk using chan_pjsip.

Impact

Abuse of this vulnerability leads to denial of service in Asterisk when chan_pjsip is in use.

Read more about Asterisk PJSIP: crash via invalid SDP fmtp attribute

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in our services? Let's collaborate.
Get in touch

We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.