exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

innovaphone IP222 / IP232 Denial Of Service

innovaphone IP222 / IP232 Denial Of Service
Posted Mar 5, 2016
Authored by Alexander Brachmann | Site syss.de

innovaphone versions IP222 and IP232 suffer from a remote denial of service vulnerability.

tags | exploit, remote, denial of service
SHA-256 | 82d16c58171e185f50439ca2a3e3a97783090e29049d727064dcd3b319f9348e

innovaphone IP222 / IP232 Denial Of Service

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2015-053
Product: innovaphone IP222/IP232
Manufacturer: innovaphone AG
Affected Version(s): 11r1s r2
Tested Version(s): 11r1s r2
Vulnerability Type: Denial of Service (CWE-730)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2015-09-02
Solution Date: unknown
Public Disclosure: 2016-03-04
CVE Reference: Not yet assigned
Author of Advisory: Alexander Brachmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The innovaphone IP222 and IP232 are IP telephones with many features.

The manufacturer innovaphone describes the products as follows (see [1],
[2]):

"The IP222 telephone unites a very modern design with groundbreaking
technological details. It belongs to the innovaphone product family that
won the popular "red dot award: product design".

(...)

The innovaphone IP232 IP phone unites a very modern design with
groundbreaking technological details. It belongs to the innovaphone
design telephone product range that won the coveted "red dot award:
product design"."

Due to a vulnerability in the H.323 network service on the TCP port
1720, the telephone can be restarted in an unauthorized manner by
an attacker causing a denial-of-service condition.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A not further analyzed vulnerability in the H.323 network service on the
TCP port 1720 of the IP telephone IP222 can be exploited by an attacker on
the same network to reboot the telephone in an unauthorized way.

This vulnerability can be used for denial-of-service attacks against the
IP222 telephone at arbitrary states, for example during a call.

If the IP222 telephone is configured in such a way that its users are
not automatically logged in after a reboot, the impact of this
denial-of-service attack is even bigger as user interaction is required
to restore the IP telephone to the previous working state.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The IP telephone IP222 can be rebooted in an unauthorized way by sending
random data to its H.323 network service on the TCP port 1720, for
example by using the following command:

$ cat /dev/urandom | nc <IP ADDRESS> 1720

Before rebooting, the CPU register state is shown on the telephone's
display (white text on red background).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to test results of the SySS GmbH with a newer firmware
version 11r2 sr9, the reported security issue was fixed by the
manufacturer.

Please contact the manufacturer for further information or support.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-09-04: Vulnerability reported to manufacturer
2015-09-07: Manufacturer acknowledges e-mail with SySS security advisory
and asks for further information
2015-09-08: Response to open question
2015-11-06: E-mail to manufacturer asking about the current state of the
reported security issue
2015-11-06: Manufacturer cannot reproduce the security issue
Providing detailled information how the security
vulnerability can be triggered
2015-11-09: E-mail to manufacturer asking about the current state of the
reported security issue
2015-11-12: Further e-mail to manufacturer asking about the current
state of the reported security issue
2016-03-03: Test of the security vulnerability with the newer firmware
version 11r2 sr9 where no DoS condition could be triggered
anymore
2016-03-04: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] innovaphone IP222 product Web site
http://www.innovaphone.com/en/ip-telephony/ip-phones/ip222.html
[2] innovaphone IP232 product Web site
http://www.innovaphone.com/en/ip-telephony/ip-phones/ip232.html
[3] SySS Security Advisory SYSS-2015-053
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-053.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Alexander Brachmann of the
SySS GmbH.

E-Mail: alexander.brachmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Alexander_Brachmann.asc
Key fingerprint = 8E49 74AF 34A6 E600 E958 FB63 2E8E 1546 17DE CFFE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" and
without warranty of any kind. Details of this security advisory may be updated
in order to provide as accurate information as possible. The latest version of
this security advisory is available on the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEAREKAAYFAlbZRTsACgkQLo4VRhfez/6SfACgn5/C92L79sVNEcAUBdSo6RZF
Sc4An07SEfFnu6Jyz9jL/bd9tHJ8t7Tj
=T67e
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close