CVE-2026-0826 Critical Unauthenticated Stack Buffer Overflow...

src/network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.md

@@ -309,6 +309,35 @@ This section adds practical, protocol-specific tips without duplicating the broa
 
 - CVE-2024-35190 (published May 17, 2024): In specific Asterisk releases, `res_pjsip_endpoint_identifier_ip` could misidentify unauthorized SIP requests as a local endpoint, potentially enabling unauthorized actions or information exposure. Fixed in 18.23.1, 20.8.1 and 21.3.1. Validate your PBX version when testing and report responsibly.
 
+### SDP/ICE candidate parsing as an RCE surface
+
+SIP endpoints often parse **embedded SDP** from `INVITE` requests before authentication or user interaction. If optional **ICE** support is enabled, `a=candidate:` attributes become an extra parser attack surface that is easy to miss during reviews because the bug lives in the **SDP helper**, not in the top-level SIP state machine.
+
+- **Reachability pattern**: `INVITE` over UDP/5060 -> `Content-Type: application/sdp` -> SDP line starting with `a=candidate:` -> ICE-specific parser.
+- **Common bug class**: copy the full candidate line into a **fixed stack buffer** with `memcpy`/`strcpy` and then NUL-terminate it **without checking the destination size**.
+- **Exploit validation on ARM**: build the candidate as `a=candidate:` + fill bytes + register markers, then confirm control of saved registers / `pc` in the crash dump. When the exact prefix length matters, count protocol bytes first.
+- **Why this matters**: SIP parsers frequently run as a privileged monolithic process inside phones/PBX components, so a parser bug in a rarely-used feature can still become **unauthenticated RCE**.
+
+Minimal malformed body pattern:
+
+```text
+c=IN IP4 192.0.2.10
+m=audio 40000 RTP/AVP 0
+a=rtpmap:0 PCMU/8000/1
+a=candidate:AAAA...[oversized candidate line]...
+```
+
+#### Practical exploitation workflow for SIP/SDP parser bugs
+
+1. **Confirm the feature gate**: look for device/PBX options enabling ICE, TURN, STUN, SRTP negotiation, video, or vendor extensions.
+2. **Trigger the parser with a valid SIP envelope** so the malformed field reaches the deep protocol helper instead of being rejected by superficial syntax checks.
+3. **Measure the exact overwrite layout** from the field prefix to the saved return state (`pc`/`lr` on ARM, `rip` on x86_64).
+4. **Run `checksec` / inspect mitigations** to decide between shellcode, ret2libc, or a full ROP chain.
+5. If **NX** is enabled and the main binary is non-PIE but loaded at addresses containing **NUL bytes**, check `/proc/<pid>/maps` for **shared libraries mapped at stable non-null bases** and pivot the ROP chain there instead of using low-address gadgets from the main binary.
+
+> [!TIP]
+> Text-based protocol exploit development is often constrained by forbidden bytes (`0x00`, `\r`, `\n`, separators such as `:` or space). When choosing gadgets or fake arguments, validate that the full address encoding survives the parser and any tokenization step.
+
 ### Hardening checklist (SIP-specific)
 
 - Prefer TLS for signaling and SRTP/DTLS-SRTP for media; disable cleartext where feasible.
@@ -323,6 +352,7 @@ This section adds practical, protocol-specific tips without duplicating the broa
 
 ## References
 
+- [Rapid7: CVE-2026-0826 - Critical unauthenticated stack buffer overflow in HP Poly VVX and Trio VoIP Phones](https://www.rapid7.com/blog/post/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed/)
 - RFC 8760 – Using SHA-256 and SHA-512/256 for HTTP Digest (applies to SIP Digest too): https://www.rfc-editor.org/rfc/rfc8760
 - Asterisk GHSA advisory for CVE-2024-35190: https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9
 {{#include ../../../banners/hacktricks-training.md}}