From d6311cdbc78d286978604622872e75a325812c61 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 1 Jun 2026 17:41:17 +0000 Subject: [PATCH] Add content from: CVE-2026-0826: Critical Unauthenticated Stack Buffer Overflo... --- .../sip-session-initiation-protocol.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md b/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md index e864f8466f7..84666640bab 100644 --- a/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md +++ b/src/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md @@ -309,6 +309,35 @@ This section adds practical, protocol-specific tips without duplicating the broa - CVE-2024-35190 (published May 17, 2024): In specific Asterisk releases, `res_pjsip_endpoint_identifier_ip` could misidentify unauthorized SIP requests as a local endpoint, potentially enabling unauthorized actions or information exposure. Fixed in 18.23.1, 20.8.1 and 21.3.1. Validate your PBX version when testing and report responsibly. +### SDP/ICE candidate parsing as an RCE surface + +SIP endpoints often parse **embedded SDP** from `INVITE` requests before authentication or user interaction. If optional **ICE** support is enabled, `a=candidate:` attributes become an extra parser attack surface that is easy to miss during reviews because the bug lives in the **SDP helper**, not in the top-level SIP state machine. + +- **Reachability pattern**: `INVITE` over UDP/5060 -> `Content-Type: application/sdp` -> SDP line starting with `a=candidate:` -> ICE-specific parser. +- **Common bug class**: copy the full candidate line into a **fixed stack buffer** with `memcpy`/`strcpy` and then NUL-terminate it **without checking the destination size**. +- **Exploit validation on ARM**: build the candidate as `a=candidate:` + fill bytes + register markers, then confirm control of saved registers / `pc` in the crash dump. When the exact prefix length matters, count protocol bytes first. +- **Why this matters**: SIP parsers frequently run as a privileged monolithic process inside phones/PBX components, so a parser bug in a rarely-used feature can still become **unauthenticated RCE**. + +Minimal malformed body pattern: + +```text +c=IN IP4 192.0.2.10 +m=audio 40000 RTP/AVP 0 +a=rtpmap:0 PCMU/8000/1 +a=candidate:AAAA...[oversized candidate line]... +``` + +#### Practical exploitation workflow for SIP/SDP parser bugs + +1. **Confirm the feature gate**: look for device/PBX options enabling ICE, TURN, STUN, SRTP negotiation, video, or vendor extensions. +2. **Trigger the parser with a valid SIP envelope** so the malformed field reaches the deep protocol helper instead of being rejected by superficial syntax checks. +3. **Measure the exact overwrite layout** from the field prefix to the saved return state (`pc`/`lr` on ARM, `rip` on x86_64). +4. **Run `checksec` / inspect mitigations** to decide between shellcode, ret2libc, or a full ROP chain. +5. If **NX** is enabled and the main binary is non-PIE but loaded at addresses containing **NUL bytes**, check `/proc//maps` for **shared libraries mapped at stable non-null bases** and pivot the ROP chain there instead of using low-address gadgets from the main binary. + +> [!TIP] +> Text-based protocol exploit development is often constrained by forbidden bytes (`0x00`, `\r`, `\n`, separators such as `:` or space). When choosing gadgets or fake arguments, validate that the full address encoding survives the parser and any tokenization step. + ### Hardening checklist (SIP-specific) - Prefer TLS for signaling and SRTP/DTLS-SRTP for media; disable cleartext where feasible. @@ -323,6 +352,7 @@ This section adds practical, protocol-specific tips without duplicating the broa ## References +- [Rapid7: CVE-2026-0826 - Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones](https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/) - RFC 8760 – Using SHA-256 and SHA-512/256 for HTTP Digest (applies to SIP Digest too): https://www.rfc-editor.org/rfc/rfc8760 - Asterisk GHSA advisory for CVE-2024-35190: https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9 {{#include ../../../banners/hacktricks-training.md}}