| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Dec 2006 13:09:51 -0800 From: "Shawn Merdinger" <shawnmer@...il.com> To: "Collin R. Mulliner" <collin@...aversion.net>, full-disclosure@...ts.grok.org.uk Subject: Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Hi, Yup, if one has the phone and cares to give free vendor QA that's a tactic to consider. As you know, determining the *exact* cause of the crash can be a tricky thing. For instance, the Milw0rm SYN flood exploit that targeted port 80 on the Cisco 7940 seemed to hose the web server, which then then crashed the phone -- but it was actually a lower-level stack issue. http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml Also, since we're talking about a VoIP device here, getting into some of the more opensource VOIP-specific tools available can also be tricky determining the root-cause, especially from different manners of tool runs and packet sequences. For example, from the the Asteroid SIP DoS tool README at http://infiltrated.net/asteroid/asteroidv1.tar.gz <snip> Anyhow, I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it will crash faster, sometimes more extensions are subscribe, etc, etc. I will not post any sequencing until vendors have patched their programs against this lame attack but, I will release the packet samples I've been working with. </snip> Thanks, --scm On 12/9/06, Collin R. Mulliner <collin@...aversion.net> wrote: > what about doing some investigation? Like figuring out which protocol > and port the crash relates to. Then send some "random" stuff to that > port and see what happens. You could find some real interesting stuff... > > see http://www.mulliner.org/pocketpc/ > > Collin > > On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote: > > Vulnerability Description > > ================== > > The Linksys WIP 330 VoIP wireless phone will crash when a full > > port-range Nmap scan is run against its IP address. > > > > > > Linksys WIP 330 Firmware Version > > ========================== > > 1.00.06A > > > > > > Nmap scan command > > ================ > > nmap -P0 <WIP 330 ip address> -p 1-65535 > > > > > > Impact > > ===== > > The crash is only after Nmap has finished. The Nmap scan also seems to > > disrupt updating of the display as the clock is not updated. The crash > > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 > > operating system. > > > > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ > > > > > > Credit > > ==== > > Credit for discovering this vulnerability goes to Armijn Hemel > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > -- > Collin R. Mulliner <collin@...aversion.net> > BETAVERSiON Systems [www.betaversion.net] > info/pgp: finger collin@...aversion.net > USS Enterprise Bumperstricker: Our other starship separates into 3 > pieces! > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists