A serious cross-site scripting (XSS) vulnerability existed in the Session Initiation Protocol (SIP) managing VoIP calls. Exploiting the bug could allow an attacker to execute code on the target system without authentication.
SIP Protocol XSS Vulnerability
A security researcher from Enable Security, Juxhin Dyrmishi Brigjaj, found a cross-site scripting (XSS) vulnerability in the SIP Protocol. The researcher found the vulnerability while auditing the VoIPmonitor GUI.
As elaborated, the SIP XSS notably affected the VoIP GUI allowing system takeover by sending malicious SIP messages.
Briefly, the GUI had a feature to monitor the SIP device register requests via the User-Agent header value. Thus, sending a request with a malicious User-Agent would allow executing code. As demonstrated by the researcher,
Our malicious message will set the
and if this gets rendered in the DOM, the browser will fail to fetch an image under
/x(which hopefully does not exist) and on failure, executes the malicious code.
Improvising this attack would further allow executing malicious codes as an administrator. Such attacks would even let an attacker gain persistent backdoor access to the target systems. Some of the malicious activities hence becoming possible include exfiltration of sensitive data from VoIP clients, deleting legit admin accounts, harvesting credentials via keyloggers, and exploiting internal web apps.
Technical details about the exploit are available in the researcher’s post.
Upon discovering the bug, the researcher reached out to the VoIPmonitor developers regarding the matter in February 2021. Following their report, an updated version arrived soon after that patched this vulnerability.
While the patch is there, the researcher also shared some insights about possible mitigations for such attacks.
Ensure that user inputs are HTML encoded prior to being rendered in some parts of the web interface…
If the user input has an expected format, structure and set of accepted values, be sure to validate those first and reject invalid inputs as early as possible.
However, the developers need to vigilantly monitor apps for security on a case-to-case basis as well.