RTC security
Research, talks and tools

Enable Security has released a new white paper titled “DTLS ‘ClientHello’ Race Conditions in WebRTC Implementations”. The research uncovered vulnerabilities in several WebRTC platforms, including RTPEngine, Asterisk, FreeSWITCH, and Skype (PSTN). The study focused on the processing of DTLS ClientHello messages in WebRTC sessions, revealing potential security risks. The team tested various open-source and proprietary implementations, including popular platforms like Janus, Discord, Google Meet, and Zoom.

Enable Security conducted a comprehensive security audit of OpenSIPS 3.2.2, a critical SIP server software. The audit included whitebox and blackbox fuzzing, manual code review, and DDoS testing. It resulted in the discovery of several vulnerabilities, mainly related to denial of service risks. The full 80+ page report has been published, detailing the methodologies used, vulnerability findings, and recommendations. Enable Security emphasizes the importance of continuous security testing and is developing tools for regular, semi-automated security assessments of software like OpenSIPS.

The CVE-2022-0778 vulnerability in OpenSSL may be abused through specially crafted certificates. Due to the way that DTLS is used in WebRTC when establishing video calls, various platforms using OpenSSL would have been affected. We demonstrated how this vulnerability could be reproduced using an internal build of SIPVicious PRO and how it leads to a major Denial of Service that could taking down the target conferencing system.

We released five advisories concerning vulnerabilities that were fixed in FreeSWITCH 1.10.7. The article tells the stories behind the first four vulnerabilities found in FreeSWITCH during one sleepless night, and then one more! We cover SIP Digest Leak, Denial of Service through SIP flooding, lack of authentication for SIP MESSAGE and SUBSCRIBE requests, and finally DoS through invalid SRTP packets. All these security issues were found while testing SIPVicious PRO.

SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.

We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet. We also reported this upstream so that it was fixed in the official distribution.

By default, Coturn attempts to block relaying to internal services by blocking a number of IP ranges. We found that this was not sufficient and could be bypassed by making use of IPv6 and also 0.0.0.0. We submitted patches upstream so that the project can be fixed and also participated in bug bounties to find out how widespread this problem is.

Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne.