[VOIPSEC] DOS vulnerability on Thomson SIP phone ST 2030 using an empty packet

Radu State State at loria.fr
Tue Aug 28 06:05:08 PDT 2007

MADYNES Security Advisory :  Remote DOS on Thomson SIP phone  ST 2030 using
an empty packet


Date of Discovery 15  February, 2007


Vendor was notified on 1 March 2007






After sending an empty message the device looks functional but in fact does
not respond to any event provoking a DoS





SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 



Affected devices:  Thomson SIP phone ST 2030


Impact :

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted void SIP   message. 



Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 




Humberto J. Abdelnur (Ph.D Student) 

Radu State (Ph.D) 

Olivier Festor (Ph.D) 


This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH (for a description see




Configuration of our device:



Software Version:   v1.52.1 

IP-Address obtained by DHCP as 

User name : thomson



To run the exploit the file thomson-2030-pl should be launched (assuming our
configurations) as:


POC Code:


perl thomson-2030.pl 5060 thomson





use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);


$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],




$msg = "";






More information about the Voipsec mailing list