Tags › stunner
Details about CVE-2020-26262, bypass of Coturn’s default access control protection
Published on Jan 11, 2021 in webrtc security, bug bounty, research, stunner
Video demonstration The following demonstration shows the security bypass of the default coturn configuration on IPv4: Note Turn on the captions by clicking on the CC button and watch on full screen for optimal viewing experience. Background: why does coturn have default access control rules in the first place? TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT.…
Read more »Bug bounty bout report 0x01 - WebRTC edition
Published on Jun 16, 2020 in webrtc security, bug bounty, stunner
Read the full report here. In April 2020, in between SIPVicious PRO development and pentesting VoIP and WebRTC, we dedicated some days to bug bounties and vulnerability disclosure programs to see what comes out of it. Our focus was on those that have WebRTC infrastructure in scope. In the end, we reported 3 vulnerabilities to 4 different vendors, for 6 different products. So finally, after making sure that the affected vendors have addressed these security issues and have agreed with publication, we are putting out a compiled report!…
Read more »How we abused Slack’s TURN servers to gain access to internal services
Published on Apr 6, 2020 in webrtc security, bug bounty, research, stunner
Executive summary (TL;DR) Slack’s TURN server allowed relaying of TCP connections and UDP packets to internal Slack network and meta-data services on AWS. And we were awarded $3,500 for our bug-bounty report on HackerOne. A very brief introduction to the TURN protocol The Wikipedia page for this protocol is somewhat handy because it explains that: Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications.…
Read more »