Full Disclosure mailing list archives
Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan
From: "Shawn Merdinger" <shawnmer () gmail com>
Date: Sat, 9 Dec 2006 13:09:51 -0800
Hi, Yup, if one has the phone and cares to give free vendor QA that's a tactic to consider. As you know, determining the *exact* cause of the crash can be a tricky thing. For instance, the Milw0rm SYN flood exploit that targeted port 80 on the Cisco 7940 seemed to hose the web server, which then then crashed the phone -- but it was actually a lower-level stack issue. http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml Also, since we're talking about a VoIP device here, getting into some of the more opensource VOIP-specific tools available can also be tricky determining the root-cause, especially from different manners of tool runs and packet sequences. For example, from the the Asteroid SIP DoS tool README at http://infiltrated.net/asteroid/asteroidv1.tar.gz <snip> Anyhow, I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it will crash faster, sometimes more extensions are subscribe, etc, etc. I will not post any sequencing until vendors have patched their programs against this lame attack but, I will release the packet samples I've been working with. </snip> Thanks, --scm On 12/9/06, Collin R. Mulliner <collin () betaversion net> wrote:
what about doing some investigation? Like figuring out which protocol and port the crash relates to. Then send some "random" stuff to that port and see what happens. You could find some real interesting stuff... see http://www.mulliner.org/pocketpc/ Collin On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote:Vulnerability Description ================== The Linksys WIP 330 VoIP wireless phone will crash when a full port-range Nmap scan is run against its IP address. Linksys WIP 330 Firmware Version ========================== 1.00.06A Nmap scan command ================ nmap -P0 <WIP 330 ip address> -p 1-65535 Impact ===== The crash is only after Nmap has finished. The Nmap scan also seems to disrupt updating of the display as the clock is not updated. The crash appears related to PhoneCtl.exe running on the phone's Windows CE 4.2 operating system. Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/ Credit ==== Credit for discovering this vulnerability goes to Armijn Hemel _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Collin R. Mulliner <collin () betaversion net> BETAVERSiON Systems [www.betaversion.net] info/pgp: finger collin () betaversion net USS Enterprise Bumperstricker: Our other starship separates into 3 pieces!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Linksys WIP 330 VoIP wireless phone crash from Nmap scan Shawn Merdinger (Dec 06)
- Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Knud Erik Højgaard (Dec 06)
- Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Knud Erik Højgaard (Dec 06)
- Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Shawn Merdinger (Dec 06)
- Re: Linksys WIP 330 VoIP wireless phone crash fromNmap scan pingywon (Dec 07)
- Re: Linksys WIP 330 VoIP wireless phone crash fromNmap scan Shawn Merdinger (Dec 08)
- Re: Linksys WIP 330 VoIP wireless phone crash fromNmap scan pingywon (Dec 08)
- Re: Linksys WIP 330 VoIP wireless phone crash fromNmap scan Shawn Merdinger (Dec 08)
- Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Collin R. Mulliner (Dec 09)
- Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan Shawn Merdinger (Dec 09)