Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan

["Shawn Merdinger" <shawnmer () gmail com>]

Hi,

Yup, if one has the phone and cares to give free vendor QA that's a
tactic to consider.  As you know, determining the *exact* cause of the
crash can be a tricky thing.  For instance, the Milw0rm SYN flood
exploit that targeted port 80 on the Cisco 7940 seemed to hose the web
server, which then then crashed the phone -- but it was actually a
lower-level stack issue.

http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml

Also, since we're talking about a VoIP device here, getting into some
of the more opensource VOIP-specific tools available can also be
tricky determining the root-cause, especially from different manners
of tool runs and packet sequences.  For example, from the the Asteroid
SIP DoS tool README at
http://infiltrated.net/asteroid/asteroidv1.tar.gz

<snip>

Anyhow, I have found that by sending a certain sequence of these
packets, in a certain order, servers react differently. Sometimes it
will crash faster, sometimes more extensions are subscribe, etc, etc.
I will not post any sequencing until vendors have patched their
programs against this lame attack but, I will release the packet
samples I've been working with.

</snip>

Thanks,
--scm

On 12/9/06, Collin R. Mulliner <collin () betaversion net> wrote:
> what about doing some investigation? Like figuring out which protocol
> and port the crash relates to. Then send some "random" stuff to that
> port and see what happens. You could find some real interesting stuff...
>
> see http://www.mulliner.org/pocketpc/
>
> Collin
>
> On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote:
> > Vulnerability Description
> > ==================
> > The Linksys WIP 330 VoIP wireless phone will crash when a full
> > port-range Nmap scan is run against its IP address.
> >
> >
> > Linksys WIP 330 Firmware Version
> > ==========================
> > 1.00.06A
> >
> >
> > Nmap scan command
> > ================
> > nmap -P0 <WIP 330 ip address> -p 1-65535
> >
> >
> > Impact
> > =====
> > The crash is only after Nmap has finished. The Nmap scan also seems to
> > disrupt updating of the display as the clock is not updated. The crash
> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2
> > operating system.
> >
> > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/
> >
> >
> > Credit
> > ====
> > Credit for discovering this vulnerability goes to Armijn Hemel
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> --
> Collin R. Mulliner <collin () betaversion net>
> BETAVERSiON Systems [www.betaversion.net]
> info/pgp: finger collin () betaversion net
> USS Enterprise Bumperstricker: Our other starship separates into 3
> pieces!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/