Skip to main content

root@localhost

VoIPmonitor advisories: buffer overflow leading to RCE + XSS vulnerabilities

Published on Mar 15, 2021

VoIPmonitor released updates to both the sniffer component and the web application to address vulnerabilities that your favourite Enable Security researchers identified and reported. The sniffer component had a buffer overflow flaw that we actually abused to run arbitrary code (yes, in 2021!). The web application, on the other hand, was vulnerable to cross-site scripting introduced through SIP messages with XSS payloads - which is pretty bad.

And so, we just released three advisories to provide further details so that organisations using this software can make better informed decisions. The advisories can be found at the usual location:

If you’re using VoIPmonitor, our recommendations are:

  1. upgrade to the latest fixed versions
  2. build your own binaries if you want memory corruption protection

Here’s the obligatory alert popup demonstrating XSS:

VoIPmonitor XSS, showing JavaScript injection

Of course, in the advisory we give an example of abusing cross-site scripting to create a backdoor administrative user too.

Full details are in the advisories but expect further details in future blog posts.