SIP devices could become unwitting access points for remote attacks on critical systems

SIP protocol abused to trigger XSS attacks in VoIP call monitoring software

The SIP communications protocol can be abused to perform cross-site scripting (XSS) attacks, new research has revealed

In a blog post on Thursday (June 10), Enable Security’s Juxhin Dyrmishi Brigjaj said that the Session Initiation Protocol (SIP), the technology used to manage communication across services including Voice over IP (VoIP), audio, and instant messaging, can be used as a conduit to perform app-based assaults on software.

This includes XSS attacks, in which users’ browser sessions may be compromised, same-origin policies circumvented, and user impersonation may take place for purposes including theft, phishing, or the deployment of malware.

XSS entry point

Dyrmishi Brigjaj says that in the worst-case scenarios, this could potentially lead to the “unauthenticated remote compromise of critical systems”.

The researcher explored the case of VoIPmonitor, an open source network packet sniffer used by system administrators to analyze the quality of VoIP calls based on various network parameters.

A vulnerability was discovered in the software’s graphical user interface (GUI) during an offensive security audit.


RELATED XSS in the wild: JavaScript-stuffed orders used to compromise Japanese e-commerce sites


One of the GUI’s features is the monitoring of SIP device register requests. The monitoring system includes the type of device that sent the SIP register message via a User-Agent header value.

This value is rendered in the DOM of the user’s web browser. In the hands of miscreants, this may lead to the execution of malicious code.

“At face value this might not seem like much, and in the real world I’d use something less obvious, relying on some canary token or callback,” the researcher notes.

“However, keep in mind that this code is executed in an administrator’s browser and is stored there for a period of time.”

Temporary code execution

Brigjaj said that code execution during a short window of opportunity could lead to privilege escalation and full, permanent admin access. This would be done by creating an administrator account by storing a further JavaScript payload in the system.

The vulnerability, therefore, could lead to consequences including the exfiltration of data and traffic, the hijack of other administrator accounts, and the deployment of malware such as keyloggers, backdoors, and more.


Read more of the latest security research news from about the world


Enable Security reported its findings to VoIPmonitor on February 10 and the security issue was resolved by the project’s developers on February 22 through the inclusion of new XSS protection mechanisms.

It is recommended that VoIPmonitor users update to the latest version available, v.24.71.

Enable Security tested the patch and confirmed that this avenue to XSS attacks has been removed.

The Daily Swig has reached out to the VoIPmonitor project maintainers and we will update this story as and when we hear back.


RECOMMENDED Al Jazeera repels cyber-attacks that sought to disrupt media network