Lucene search
K

siemens.ipphone.txt

🗓️ 28 Sep 2000 00:00:00Reported by Michal ZalewskiType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

Siemens HiNet LP5100 IP-phone has a buffer overflow vulnerability in its HTTP mini-administration service.

Code
`From: Michal Zalewski <[email protected]>  
Subject: Another thingy.  
To: [email protected]  
  
-- Standard disclaimer applies. I am speaking as a private person,  
-- and doing it in completely informal way, which shouldn't be interpreted  
-- in any other way but as my personal opinions and beliefs, which don't have  
-- to be true.  
  
Another thing to add to "commercial products security" thread. During  
routine checks, we have discovered ugly security hole in awarded Siemens  
HiNet LP5100 IP-phone. This problem has been, of course, reported to  
vendor.  
  
Another time, this problem is not related to Siemens - and I'm not trying  
to depreciate their products - especially I've seen such really trivial  
and obvious remote hole so many times (eg. in Novell Netware solutions -  
the hole, in fact, was completely the same; numerous nasty holes were  
found in WAP mobile phones made by Nokia; and so on). I still wonder when  
major companies - especially if they haven't much to do with TCP/IP  
internetworking security earlier - will learn to think about security.  
Leaving such obvious holes is not a result of overlook, but lack of  
interest. They are introducing more and more advanced, but everyday use  
solutions, which make our lives even more dependent on networked  
machines... If they won't learn it really quick, and if security will be  
still ignored... well, guess: what the next Worm will attack?  
  
Product: Siemens HiNet LP 5100 IP-phone  
  
Service: http mini-administration service (on port 80); open on every  
IP-phone of this kind  
  
Problem: it is vulnerable to buffer overflow in GET request; with large  
request size, it is possible to cause partial or complete crash  
of phone services; in general, requests between 100 and 300 bytes  
have unpredictable results; request above 500 bytes cause  
complete crash and will require power off / on.  
  
Of course, except DoSing the phone, someone experienced with hardware  
architecture and firmware of this machine, can try to exploit this  
overflow. Even in protected LANs, it's at least alarming if any network  
user can attack phone or even modify it's software (to intercept calls,  
for example).  
  
_______________________________________________________  
Michal Zalewski [[email protected]] [tp.internet/security]  
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:  
=-----=> God is real, unless declared integer. <=-----=  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation