[Full-disclosure] Linksys WIP 330 VoIP wireless phone crash from Nmap scan
shawnmer at gmail.com
Sat Dec 9 21:09:51 GMT 2006
Yup, if one has the phone and cares to give free vendor QA that's a
tactic to consider. As you know, determining the *exact* cause of the
crash can be a tricky thing. For instance, the Milw0rm SYN flood
exploit that targeted port 80 on the Cisco 7940 seemed to hose the web
server, which then then crashed the phone -- but it was actually a
lower-level stack issue.
Also, since we're talking about a VoIP device here, getting into some
of the more opensource VOIP-specific tools available can also be
tricky determining the root-cause, especially from different manners
of tool runs and packet sequences. For example, from the the Asteroid
SIP DoS tool README at
Anyhow, I have found that by sending a certain sequence of these
packets, in a certain order, servers react differently. Sometimes it
will crash faster, sometimes more extensions are subscribe, etc, etc.
I will not post any sequencing until vendors have patched their
programs against this lame attack but, I will release the packet
samples I've been working with.
On 12/9/06, Collin R. Mulliner <collin at betaversion.net> wrote:
> what about doing some investigation? Like figuring out which protocol
> and port the crash relates to. Then send some "random" stuff to that
> port and see what happens. You could find some real interesting stuff...
> see http://www.mulliner.org/pocketpc/
> On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote:
> > Vulnerability Description
> > ==================
> > The Linksys WIP 330 VoIP wireless phone will crash when a full
> > port-range Nmap scan is run against its IP address.
> > Linksys WIP 330 Firmware Version
> > ==========================
> > 1.00.06A
> > Nmap scan command
> > ================
> > nmap -P0 <WIP 330 ip address> -p 1-65535
> > Impact
> > =====
> > The crash is only after Nmap has finished. The Nmap scan also seems to
> > disrupt updating of the display as the clock is not updated. The crash
> > appears related to PhoneCtl.exe running on the phone's Windows CE 4.2
> > operating system.
> > Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/
> > Credit
> > ====
> > Credit for discovering this vulnerability goes to Armijn Hemel
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> Collin R. Mulliner <collin at betaversion.net>
> BETAVERSiON Systems [www.betaversion.net]
> info/pgp: finger collin at betaversion.net
> USS Enterprise Bumperstricker: Our other starship separates into 3
Full-Disclosure is hosted and sponsored by Secunia.