innovaphone IP222 UDP Denial Of Service

Type packetstorm
Reporter Sven Freund
Modified 2016-03-24T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
Advisory ID: SYSS-2016-016  
Product: innovaphone IP222  
Manufacturer: innovaphone AG  
Affected Version(s): 11r2 sr9  
Tested Version(s): 11r2 sr9  
Vulnerability Type: Improper Input Validation (CWE-20)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2016-03-04  
Solution Date: Unknown  
Public Disclosure: 2016-03-24  
CVE Reference: Not yet assigned  
Author of Advisory: Sven Freund (SySS GmbH)  
The innovaphone IP222 is a Voice over IP telephone solution, which  
provides many communication functionalities, for instance, announcement  
function, password protected administration via web browser (HTTPS),  
multiple registration up to six users at the same time and many other  
The manufacturer innovaphone AG describes the product as follows  
(see [1]):  
"The IP222 telephone unites a very modern design with groundbreaking  
technological details. It belongs to the innovaphone product family that  
won the popular 'red dot award: product design'."  
Vulnerability Details:  
The innovaphone IP222 offers different protocols, like H.323 or SIP, to  
fulfil the various requirements. The discovered vulnerability was found  
in the protocol SIP/UDP. Therefore a specially crafted SIP request to  
the open 5060/UDP port causes a denial of service condition by crashing  
the innovaphone IP222 phone immediately. Remote code execution via this  
security vulnerability may also be possible, but was not confirmed by  
the SySS GmbH.  
Proof of Concept (PoC):  
The SySS GmbH developed a proof-of-concept software tool for crashing  
the innovaphone IP222 with a specially crafted SIP request by causing a  
buffer overflow.   
sip = (method +" sip:105@" + server + " SIP/2.0\r\n"  
"To: <sip:" + server + ":5060>\r\n"  
"Via: SIP/2.0/UDP " + <ATTACK> + " xxx;x:5060;branch=z9hG4bK00003510  
"From: \x22xtestsip\x22<sip:" + server + "@dude>\r\n"  
"Call-ID: 1@dude\r\n"  
"CSeq: 1 " + method + "\r\n"  
"Content-Length: 0\r\n\r\n")  
The variable <ATTACK> must be replaced by a string which contains at  
least 3878 characters. After transmitting this SIP request to the  
innovaphone IP222, the VoIP phone will crash and restart immediately.  
Remote code execution via this security vulnerability may also be  
possible, but was not confirmed by the SySS GmbH.  
According to information by the innovaphone AG, the described security  
issue has been fixed in software version v12r1 / v11r2sr11 / v10sr32.  
Please contact the manufacturer for further information or support.  
Disclosure Timeline:  
2016-03-04: Vulnerability reported to manufacturer  
2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory  
and described the security issue as fixed  
2016-03-24: Public release of security advisory  
[1] Product Web Site for innovaphone IP222  
[2] SySS Security Advisory SYSS-2016-016  
[3] SySS Responsible Disclosure Policy  
This security vulnerability was found by Sven Freund of the SySS GmbH.  
E-Mail: sven.freund (at)  
Public Key:  
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
Creative Commons - Attribution (by) - Version 3.0  
Version: GnuPG v1