| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050812115852.9193.qmail@mail2.securityfocus.com> Date: Fri, 12 Aug 2005 14:27:05 +0200 From: Kroma Pierre <kroma@...s.de> To: bugtraq@...urityfocus.com Subject: Grandstream Budge Tone 101/102 DoS Vulnerability - ------------------------------------------------------------------- SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability - ------------------------------------------------------------------- Problem discovered: July 20th 2005 Vendor contacted: July 21th 2005 Advisory will published on: August 12th 2005 AUTHOR: Pierre Kroma (kroma@...s.de) SySS GmbH 72070 Tuebingen / Germany Tel.: +49-7071-407856-0 Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC DEVICE: Grandstream Budge Tone-101 Grandstream Budge Tone-102 AFFECTED VERSIONS: perhaps all(?) <= 1.0.6.7 (firmware 1.0.6.7 tested) EXPLOIT: attached VENDOR STATUS: informed SEVERITY: medium Remotely exploitable: yes DESCRIPTION: It is possible to initiate a D.o.S attack against this voip (hardware-)phone. If you send an UDP packet greater than 65534 bytes to port 5060 the device stops working: - any active telephone call will be aborted. - the display will show nothing / display freeze. - the integrated HTTP-server won't be reachable any more. To solve the problem, you must switch the phone off and on again. If you send a packet of exactly 65534 bytes the device may reboot. Smaller packets have no effect. ############################################################################ EXAMPLE: Grandstream BT101/BT102 DoS written by pierre kroma (kroma@...s.de) ping the remote device xxx.xxx.xxx.xxx PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data. 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=250 time=0.479 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=250 time=0.406 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=250 time=0.404 ms --- xxx.xxx.xxx.xxx ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.404/0.429/0.479/0.042 ms Wait ... ping the remote device xxx.xxx.xxx.xxx again PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data. --- xxx.xxx.xxx.xxx ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms ############################################################################ Download attachment "grandstream-DoS.pl" of type "application/x-perl" (1288 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists