Skip to main content

Ali Norouzi

, Sandro Gauci

Sandro Gauci, Enable Security

Kamailio’s exec module considered harmful

Last updated on Jan 26, 2023 in ,

Executive summary (TL;DR) The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection. By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration. We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions. Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

How to perform a DDoS attack simulation

Last updated on Nov 29, 2022

TL;DR A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked? Introduction In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Executive summary (TL;DR) Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE! How I got social engineered into looking at CVE-2022-0778 A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?” He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Killing bugs … one vulnerability report at a time

Executive summary (TL;DR) We tell the story behind the latest FreeSWITCH advisories and how it all came together one sleepless night in April 2021 so that we ended up with 4 vulnerabilities that needed reporting. And then, one more vulnerability found due to a bug in our own software, SIPVicious PRO. We explain how these flaws were discovered, reported, fixed and what we ultimately learned through this process. What is this about?…

Read more »

Abusing SIP for Cross-Site Scripting? Most definitely!

Last updated on Jun 10, 2021 in , ,

Executive summary (TL;DR) SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.…

Read more »
Alfred Farrugia

Alfred Farrugia, Enable Security

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Executive summary (TL;DR) We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Details about CVE-2020-26262, bypass of Coturn’s default access control protection

Last updated on Jan 11, 2021 in , , ,

Video demonstration The following demonstration shows the security bypass of the default coturn configuration on IPv4: Note Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience. Background: why does coturn have default access control rules in the first place? TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT.…

Read more »
Alfred Farrugia

Alfred Farrugia, Enable Security

Bug discovery diaries: uncovering sngrep overflow issues with blackbox fuzzing

Executive summary (TL;DR) During OpenSIPIt, we crashed sngrep by mistake while briefly fuzzing OpenSIPS. Later on we setup a docker environment to reproduce the issue, identified the actual bugs and reported them upstream. If you want to learn the simple steps to do this, you actually have to read the rest of the post :-) sngrep crash during the live OpenSIPit event Last year we participated in OpenSIPIt’s interoperability testing event which was held between the 14th and 15th of September 2020.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Smuggling SIP headers past Session Border Controllers FTW!

Last updated on Sep 1, 2020 in , , ,

Executive summary (TL;DR) SIP Header smuggling is a thing; in some cases it may be super-bad. It affected Kamailio and we have published a Github project to easily demonstrate and test this for yourself. Kamailio has since fixed the issue in release 5.4.0 but similar issues are likely to affect other SBCs. Usage of special SIP headers When it comes to trusted SIP networks, one of the primary ways that information is passed across different hops is through SIP headers.…

Read more »

Attacking a real VoIP System with SIPVicious OSS

Last updated on Jun 8, 2020 in , ,

Recently, we put out a target server on the Internet at demo.sipvicious.pro which hosts a Kamailio Server handling SIP over UDP, TCP, TLS as well as WebSockets. Behind that, the observant reader will soon discover that an Asterisk server handles the voicemail and echo services. This is actually a fully functioning (real) VoIP system that’s ready to be attacked. Therefore, in combination, these software packages allow us to reproduce a number of common security vulnerabilities affecting VoIP and WebRTC systems.…

Read more »