Skip to main content

Tags research

OpenSIPS Security Audit Report is fully disclosed and out there

It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report. The OpenSIPS security audit report can be found here. What is the OpenSIPS security audit? OpenSIPS is a SIP server that often has a critical security function within an IP communications system.…

Read more about OpenSIPS Security Audit Report is fully disclosed and out there

Kamailio’s exec module considered harmful

Published on Jan 26, 2023 in ,

Executive summary (TL;DR) The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection. By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration. We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions. Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.…

Read more about Kamailio's exec module considered harmful

Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Executive summary (TL;DR) We fuzzed VoIPmonitor by using SIPVicious PRO and got a crash in the software’s live sniffer feature when it is switched on. We identified the cause of the crash by looking at the source code, which was a classic buffer overflow. Then we realized that was fully exploitable since the binaries distributed do not have any memory corruption protection. So we wrote exploit code using ROP gadgets to get remote code execution by just sending a SIP packet.…

Read more about Bug discovery diaries: Abusing VoIPmonitor for Remote Code Execution

Details about CVE-2020-26262, bypass of Coturn’s default access control protection

Published on Jan 11, 2021 in , , ,

Video demonstration The following demonstration shows the security bypass of the default coturn configuration on IPv4: Note Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience. Background: why does coturn have default access control rules in the first place? TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT.…

Read more about Details about CVE-2020-26262, bypass of Coturn's default access control protection

Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it

Executive summary (TL;DR) Jitsi Meet on Docker contained default passwords for important users, which could be abused to run administrative XMPP commands, including shutting down the server, changing the administrative password and loading Prosody modules. We also provide instructions on how to check for this issue if you administer a Jitsi Meet server. Background story A few days ago we noticed a tweet by @joernchen mentioning something that sounded familiar, Jitsi.…

Read more about Jitsi Meet on Docker default passwords - how bad is it, how to detect and fix it

How we abused Slack’s TURN servers to gain access to internal services

Published on Apr 6, 2020 in , , ,

Executive summary (TL;DR) Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne. A very brief introduction to the TURN protocol The Wikipedia page for this protocol is somewhat handy because it explains that: Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications.…

Read more about How we abused Slack's TURN servers to gain access to internal services