Skip to main content
Alfred Farrugia

Alfred Farrugia, Enable Security

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Last updated on Mar 16, 2021 in , , , , , ,

Executive summary (TL;DR) We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Details about CVE-2020-26262, bypass of Coturn’s default access control protection

Last updated on Jan 11, 2021 in , , ,

Video demonstration The following demonstration shows the security bypass of the default coturn configuration on IPv4: Note Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience. Background: why does coturn have default access control rules in the first place? TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it

Last updated on Apr 20, 2020 in , , , ,

Executive summary (TL;DR) Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules. We also provide instructions on how to check for this issue if you administer a Jitsi Meet server. Background story A few days ago we noticed a tweet by @joernchen mentioning something that sounded familiar, Jitsi.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

How we abused Slack’s TURN servers to gain access to internal services

Last updated on Apr 6, 2020 in , , ,

Executive summary (TL;DR) Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne. A very brief introduction to the TURN protocol The Wikipedia page for this protocol is somewhat handy because it explains that: Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications.…

Read more »
Sandro Gauci

Sandro Gauci, Enable Security

Surf Jack - HTTPS will not save you

Published on Aug 11, 2008 in ,

Alert: this is not a VoIP security post. Just a repost from EnableSecurity. I just released a new paperand tool on the subject of web application security. Check out the blog post (which includes the bonus video everyone loves), and the proof of concept tool itself. And if you did not do it already, please subscribe to my other site, EnableSecurity’s RSS feed.…

Read more »

Subscribe

Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

Interested in working with us? Get in touch

We hate spam and hard-selling and are committed to protecting and respecting your privacy. You can unsubscribe from these communications at any time. By subscribing, you are agreeing to the Terms and Conditions. this site uses reCAPTCHA, the Google Privacy Policy and Terms of Service apply.