SIP can be used as an attack vector for AppSec vulnerabilities such as cross-site scripting (XSS), potentially leading to unauthenticated remote compromise of critical systems. VoIPmonitor GUI had one such vulnerability which highlights this attack vector exceptionally well. The following writeup explores how persistent backdoor administrative access can be obtained by sending malicious SIP messages. This vulnerability was reported by Enable Security and fixed in VoIPmonitor GUI back in February 2021, using standard cross-site scripting protection mechanisms.
Cross-site scripting (XSS) is an established and well understood application security vulnerability. Even so, the nature of the vulnerability makes it difficult to mitigate at times, often resulting in either partial remediation (i.e. still vulnerable to other payloads) or outright vulnerable inputs. When the team at Enable Security performs an offensive security audit against a cloud based provider for the very first time, one of the initial tests involves looking for cross-site scripting vulnerabilities. Even if the focus of such an audit is the voice over IP applications or infrastructure!
Before diving into the technical underpinnings of this exploit, let us start with a common customer use-case first. A customer may want to be privy to the end-user SIP device types (i.e. mobile, desktop) that are connecting to their application or server. A vendor may provide that information by rendering SIP network traffic within the application’s web interface - traffic that should actually be considered as user input. Pair these two factors together and we potentially have the ability to send unauthenticated traffic to a server with a malicious payload. This, in turn, gets rendered as HTML in the UI thus running arbitrary code within the user’s browser, which leads to XSS.