- Mitglied seit
- 29 Dez 2004
- Beiträge
- 207
- Punkte für Reaktionen
- 5
- Punkte
- 18
Hallo,
kürzlich gab es in der Bugtraq-Mailingliste einen Eintrag das das BudgetTone 101/102 für einen DoS anfällig ist.
Weiß jemand ob das nur diese beiden Geräte betrifft oder auch ATA 486?
Wird es wohl ein Update geben?
Gruß
Thomas
- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------
Problem discovered: July 20th 2005
Vendor contacted: July 21th 2005
Advisory will published on: August 12th 2005
AUTHOR: Pierre Kroma ([email protected])
SySS GmbH
72070 Tuebingen / Germany
Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC
DEVICE: Grandstream Budge Tone-101
Grandstream Budge Tone-102
AFFECTED VERSIONS: perhaps all(?) <= 1.0.6.7 (firmware 1.0.6.7 tested)
EXPLOIT: attached
VENDOR STATUS: informed
SEVERITY: medium
Remotely exploitable: yes
DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes
to port 5060 the device stops working:
- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.
To solve the problem, you must switch the phone off and on again.
If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.
############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma ([email protected])
ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=250 time=0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=250 time=0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=250 time=0.404 ms
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.404/0.429/0.479/0.042 ms
Wait ...
ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################
kürzlich gab es in der Bugtraq-Mailingliste einen Eintrag das das BudgetTone 101/102 für einen DoS anfällig ist.
Weiß jemand ob das nur diese beiden Geräte betrifft oder auch ATA 486?
Wird es wohl ein Update geben?
Gruß
Thomas
- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------
Problem discovered: July 20th 2005
Vendor contacted: July 21th 2005
Advisory will published on: August 12th 2005
AUTHOR: Pierre Kroma ([email protected])
SySS GmbH
72070 Tuebingen / Germany
Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC
DEVICE: Grandstream Budge Tone-101
Grandstream Budge Tone-102
AFFECTED VERSIONS: perhaps all(?) <= 1.0.6.7 (firmware 1.0.6.7 tested)
EXPLOIT: attached
VENDOR STATUS: informed
SEVERITY: medium
Remotely exploitable: yes
DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes
to port 5060 the device stops working:
- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.
To solve the problem, you must switch the phone off and on again.
If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.
############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma ([email protected])
ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=250 time=0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=250 time=0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=250 time=0.404 ms
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.404/0.429/0.479/0.042 ms
Wait ...
ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################