SIP Protocol Exploited to Trigger XSS Attacks via VoIP Call Monitoring Software

 

According to new research, the SIP communications protocol can be exploited to conduct cross-site scripting (XSS) assaults. 

In a blog post published on June 10, the Session Initiation Protocol (SIP), the technology used to manage communication across services such as Voice over IP (VoIP), audio, and instant messaging, can be used as a conduit to perform app-based assaults on software, as per Enable Security's Juxhin Dyrmishi Brigjaj. 

This includes cross-site scripting (XSS) assaults, in which users' browser sessions may be stolen, same-origin restrictions may be bypassed, and user impersonation may occur for objectives such as theft, phishing, or malware deployment. 

In the worst-case situation, according to Dyrmishi Brigjaj, this might lead to an "unauthenticated remote compromise of vital systems." 

The study looked into the case of VoIPmonitor, an open-source network packet sniffer that system administrators use to examine the quality of VoIP calls based on various network metrics. During an offensive security audit, a flaw in the software's graphical user interface (GUI) was uncovered. 

The monitoring of SIP device register requests is one of the GUI's functions. The monitoring system also includes the type of device that submitted the SIP register message via a User-Agent header value. This value is represented in the user's web browser's DOM. It may lead to the execution of malicious code in the hands of criminals. 

The researchers note, “At face value, this might not seem like much, and in the real world I’d use something less obvious, relying on some canary token or callback. However, keep in mind that this code is executed in an administrator’s browser and is stored there for a period of time.” 

According to Brigjaj, execution code during a brief window of opportunity can result in privilege escalation and full, permanent admin access. 

This would be accomplished by creating an administrator account in the system and storing a new JavaScript payload. 

As a result, the vulnerability could result in data and traffic exfiltration, the hijacking of other administrator accounts, and the deployment of malware such as keyloggers, backdoors, and more. 

On February 10, Enable Security reported its findings to VoIPmonitor, and the project's developers fixed the security issue on February 22 by adding new XSS mitigation measures. 

Users of VoIPmonitor are advised to upgrade to the most recent version, v.24.71. Enable Security tested the fix and determined that the avenue to the XSS attack vector had been eliminated.