`From: Michal Zalewski <[email protected]>
Subject: Another thingy.
To: [email protected]
-- Standard disclaimer applies. I am speaking as a private person,
-- and doing it in completely informal way, which shouldn't be interpreted
-- in any other way but as my personal opinions and beliefs, which don't have
-- to be true.
Another thing to add to "commercial products security" thread. During
routine checks, we have discovered ugly security hole in awarded Siemens
HiNet LP5100 IP-phone. This problem has been, of course, reported to
vendor.
Another time, this problem is not related to Siemens - and I'm not trying
to depreciate their products - especially I've seen such really trivial
and obvious remote hole so many times (eg. in Novell Netware solutions -
the hole, in fact, was completely the same; numerous nasty holes were
found in WAP mobile phones made by Nokia; and so on). I still wonder when
major companies - especially if they haven't much to do with TCP/IP
internetworking security earlier - will learn to think about security.
Leaving such obvious holes is not a result of overlook, but lack of
interest. They are introducing more and more advanced, but everyday use
solutions, which make our lives even more dependent on networked
machines... If they won't learn it really quick, and if security will be
still ignored... well, guess: what the next Worm will attack?
Product: Siemens HiNet LP 5100 IP-phone
Service: http mini-administration service (on port 80); open on every
IP-phone of this kind
Problem: it is vulnerable to buffer overflow in GET request; with large
request size, it is possible to cause partial or complete crash
of phone services; in general, requests between 100 and 300 bytes
have unpredictable results; request above 500 bytes cause
complete crash and will require power off / on.
Of course, except DoSing the phone, someone experienced with hardware
architecture and firmware of this machine, can try to exploit this
overflow. Even in protected LANs, it's at least alarming if any network
user can attack phone or even modify it's software (to intercept calls,
for example).
_______________________________________________________
Michal Zalewski [[email protected]] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation