lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 8 Dec 2009 10:01:44 +1100
From: 0 0 <teknineutensil@...il.com>
To: dr_ide@...hmail.com, str0ke <str0ke@...w0rm.com>, 
	full-disclosure@...ts.grok.org.uk, submissions@...ketstormsecurity.org
Subject: TANDBERG MXP(FIPS140) DOS

Security Advisory


Platform : TANDBERG
Date     : November 6, 2009
Affected : All MXP FIPS140 Current as of December 8, 2009
Tested   : F8.2, F8.0, F7.2, F6.3
Unconf   : VCS, BC, C90
Author   : otokoyama


Problem Description:

Issues with the H.225 RAS implementation in TANDBERG Codecs.
*This has been confirmed when FIPS140 Mode is set to active.*

For the DoS to affect that Tandberg, H.323 Gatekeeper mode must
be set to "On" or "Auto" as opposed to off.

The Tandberg Endpoint does not have to be registered with a gatekeeper.

The DoS is simply sending a RAS URQ request >3280 times.
The Tandberg endpoint will swiftly run out of memory to process the request
and subsequently reboot. The packet repetition amount required to crash
depends on how many other legitimate requests the Endpoint is holding in its
stack, if the tester wishes for clean results she/he may wish to reboot the
Endpoint before running the PoC.

However it is difficult to fit in any payload after the crashing packet (in
a live remote exploit)as the person attempting this would have no control
over what is already in the Endpoint network stack but due to the nature of
video conferencing.

This DoS would be effective on a large number of Endpoints that are on
public IP. It is quite possible that the routed Endpoints(traversal, NAT,
Port Forwarding) would allow this packet through as it is seemingly
legitimate(most VC Network Admins set up Deep Packet Inspection exclusions
to the VC Endpoints due to the nature of RTP, which in TCPDUMP looks like a
UDP flood anyway)

This is by no means a new vuln and it has existed on many platforms and
products till today (and still does ;)) but it's high time it got patched.

Mitigation : Block RAS requests at the router with an ACL, destport:1719
           : Invest in traversal infrastructure and deploy it
correctly.

Code attached. Feel free to vrfy.

Content of type "text/html" skipped

View attachment "rastest.py" of type "text/x-python" (1413 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists