-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
@stake, Inc. www.atstake.com Security Advisory
Advisory Name: Pingtel Xpressa Denial of Service Release Date: 09-13-2004 Device: Xpressa phone (Model PX-1) Firmware: Core Apps: 220.127.116.11 Kernel: 18.104.22.168 Severity: An attacker can cause the phone to fail. A power cycle is required to restore functionality. Author(s): James Vaughan <firstname.lastname@example.org> Vendor Status: Vendor has halted sales of device CVE Candidate: CVE Candidate number applied for Reference: www.atstake.com/research/advisories/2004/a091304-2.txt
Pingtel Corp. (http://www.pingtel.com/) is a leading independent vendor of Session Initiation Protocol (SIP) products. One of Pingtel's flagship products was the Xpressa SIP desktop phone. In August, 2004 Pingtel ceased selling the Xpressa phone
@stake has discovered a vulnerability in the HTTP management interface of the phone. This could be used by an attack to deny service to the handset by crashing the underlying VxWorks operating system.
The Pingtel Xpressa handset can be administered over a variety of interfaces (console, telnet and http). A vulnerability exists in the HTTP server which enables a remote authenticated attack to cause the underlying VxWorks operating system to stop. A request of the form:
GET /<buffer>/cgi/application.cgi HTTP/1.0 Authorization: Basic [base64authstring]
Where <buffer> is a string of 260 uppercase A will trigger the DoS condition.
This issue has the potential for further exploitation within the context of the VxWorks operating system. However, this was not investigated further due to the closed nature of the PingTel device. Note that Pingtel is open sourcing the underlying software shortly.
09-08-2004 @stake attempts vendor contacted via email 09-10-2004 @stake re-attempts vendor contacted via email 09-10-2004 Vendor responds that sales of device halted 09-13-2004 Advisory released
email to @stake from Pingtel:
"Pingtel will no longer market the xpressa desktop IP phone. Pingtel will continue to sell its industry leading SIP Softphone, and will continue to support its existing xpressa desktop phone customers who are on an active Warranty or Maintenance Plans."
The threat of this vulnerability can be mitigated by disabling the HTTP management interface on the Xpressa handset.
More|Apps|Prefs|myxpressa web|<enter password>|
and unchecking "Enable Web Server". This change requires you to reboot your phone.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CAN-2004-XXXX PingTel Xpressa Denial of Service
@stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/
@stake Advisory Archive: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc
Copyright 2004 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3
iQA/AwUBQUXnyke9kNIfAm4yEQKQ+ACfba3yL2wtwN3ma3SL/rsLXEJEz1AAoNSw lmdWLNMqScQ3QOT3z2rr5Qlg =wSEZ -----END PGP SIGNATURE-----