Until the end of last year, we know that a group (said associated with Chinese government, referred to as “salted storm”) breached t-mobile and other telecommunication companies and cause all kinds of injury.
It’s never been a blog post about that event, but it caused a little bit of curiosity inside me.
I can’t (legal) access to networks of mobile phone companies to see what weaknesses I can find, but there are many open software projects in relation to telecommunications in GitHub. So when I heard about the hacks of Typhomon’s salt, I thought, “any open source of telecom software any good?”
In a past life, I work with companies used Asterisk and Freeswitch;; Signal still called textsecure).
I don’t know about PBX systems, SIP, or even audio encoding. In addition, some of the best C programmers I met at Telecom. Hell, some of the longest Hacker communities have peaking drugs on the phone from the 1980s. Not discussing all engineers beautifully tracking their roots in Bell Labs.
It’s all to say, I think the sight of this type of software can be a fruitless effort.
Certainly all low-hanging fruits will be found?
Thus, I opened the source of freeswitch in GitHub and nearly found a vulnerability.
Http HTTP buffer heaping for XMLRPC
on This code quotesHTTP HTTP request for XMLRPC Library entered with Freeswitch writes an arbitrary type to a 4096-byte stack variable called Z.
char z(4096);
char *p,z1(26),z2(20),z3(9),u;
const char * z4;
int16_t i;
uint32_t k;
if (text) {
sprintf(z, "Index of %s" CRLF, uri);
the uri transformed inhabited by the passage of request type requestprovided by the attack.
This is not a common problem, since Most browsers do not support URLs longer than 2048 charactersBut relevant RFCs support up to about 8 KB in most cases. (Cloudfrare supports up to 32KB.)
I think it is reasonable to think that the attackers can make a request higher than 4096 characters.
Putting these observations, it’s easy to see it’s a no-aull buffer overflowing with their XMLRPC library.
Its remote code putecution is an exercise left by the reader (mainly because I will never date OS-Leven to enjoy the OS-Level Taking advantage of OS-Level).
How to fix this issue
It is a type of “defensive programming programming acts 101” level.
Hello attempts to coordinated revelation
(NB, Please stop saying “Responsible” Revelation.)
2025-01-27: I sent an email to the email address Listed in freeswitch security policy with the details of vulnerability.
2025-02-07: I sent a follow-up email to make sure they received my report.
2025-02-07: Andrey Volk replied:
Hello Socok.
Thank you for your email!
The issues you describe recently fixed.
Please see:
https://github.com/signalswire/freeswitch/pull/2752
https://github.com/signalswire/freeswitch/pull/2753
https://github.com/signalswire/freeswitch/pull/2754
Best feelings,
Since the repairs are publicly, I have left to think that “Seklamgo is broken,” so say. That means I’m free to blog about it publicly.
However, I noticed that they did not tag a new release of this security fix for Freeswitch users. I replied:
Oh, awesome. Thanks for getting back to me.
Do you have an ETA when the release tags? I don’t want to publish anything until it’s easy to install an updated version.
A few hours later, Andrey replied to my email.
Spill yourself, it’s a stupid one.
…
Hello Socok.
Thank you for your interest in Freeswitch.
We do not plan to release the freeswitch community to summer 2025.
Best feelings,
What happened?
To recap: a signalwire employee (which develops freeswitch) from outside and says they will allow people who do not Pay for freeswitch advantage Remain weak until their regularly scheduled release (sometimes summer).
there about 8,300 shodan hits for freeswitch As I write it. Nagduda ako nga nagbayad silang tanan alang sa suporta sa negosyo, mao nga naghisgot kami bahin sa libu-libong mga Telepok nga Stacks sa tibuuk kalibutan hangtod sa ting-init, bisan sa ting-init, bisan human nila gipatik ang mga pattok sa Github.
While such a decision can be completely legal, it never encourages belief in the stewards of this software project to give a shit about their users’ injury.
Telecomsec: a systemic issue
The worst part is, if I trust a friend who works on Telecom (after being published by CareSwitch-FreesWitch’s healings, their answer:
That fast?
(…)
Dec. 2024 is the last time alarms once have been resurrected about the SS7’s known vulnerabilities that continue to exist in telephone networks in the past 17 years.
And, to be honest, that kind of air from my sails So I don’t worry looking at asterisk or any other software.
I mean, why worry? I already have the answer to the question that prompts me to look at the first place: Telecom security follows today.
The reason the things that follow mostly because it’s too small (if there is) money to make securing these systems today.
Things are not NEED This way, of course.
There may be an opportunity for some businessman-young hacker to write a freeswitch factit at stake with a disease of misery around it.
(Or, at least, more difficult to find vulnerals than Dangerous Web Information. Maybe the OpenSD team can be motivated to move?)
Maybe in the future, we can find politics to invest in telecaktography infrastructure security. Who knows, some of that money can still find open software software, and they can hire someone who knows how to run valgrind.
Or perhaps everyone will continue to suck, because incentives will rule anything, and do not currently do nothing.
Thoughts to end
I take a long time to write this, even if it’s a simple technical issue, because I’m sure there are inconveniences at the bottom of this simply found.
The response to the vendor is beautiful lame, yes. But is this seller in their industry? I’m not sure about one. At least they responded within 90 days and set the issue with their GitHub.
But, hey, if you wait for the signalwire to go around the run git tag… Maybe again from source or blocking public HTTP access to your Freeswitch stack at firewall level?
Sorry I can’t help more.
https://i0.wp.com/soatok.blog/wp-content/uploads/2025/03/BlogHeader-2025-FreeSWITCH.png?fit=1200%2C675&ssl=1
2025-03-12 08:21:00
