exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

innovaphone IP222 UDP Denial Of Service

innovaphone IP222 UDP Denial Of Service
Posted Mar 24, 2016
Authored by Sven Freund | Site syss.de

The innovaphone IP222 offers different protocols, like H.323 or SIP, to fulfil the various requirements. The discovered vulnerability was found in the protocol SIP/UDP. Therefore a specially crafted SIP request to the open 5060/UDP port causes a denial of service condition by crashing the innovaphone IP222 phone immediately. Remote code execution via this security vulnerability may also be possible, but was not confirmed by the SySS GmbH.

tags | exploit, remote, denial of service, udp, code execution, protocol
SHA-256 | cfc0d7614928d7e4d648a995ef8fdeb119a75e0ac44cc1cd7ece00e5e46a6931

innovaphone IP222 UDP Denial Of Service

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-016
Product: innovaphone IP222
Manufacturer: innovaphone AG
Affected Version(s): 11r2 sr9
Tested Version(s): 11r2 sr9
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2016-03-04
Solution Date: Unknown
Public Disclosure: 2016-03-24
CVE Reference: Not yet assigned
Author of Advisory: Sven Freund (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The innovaphone IP222 is a Voice over IP telephone solution, which
provides many communication functionalities, for instance, announcement
function, password protected administration via web browser (HTTPS),
multiple registration up to six users at the same time and many other
features.

The manufacturer innovaphone AG describes the product as follows
(see [1]):

"The IP222 telephone unites a very modern design with groundbreaking
technological details. It belongs to the innovaphone product family that
won the popular 'red dot award: product design'."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The innovaphone IP222 offers different protocols, like H.323 or SIP, to
fulfil the various requirements. The discovered vulnerability was found
in the protocol SIP/UDP. Therefore a specially crafted SIP request to
the open 5060/UDP port causes a denial of service condition by crashing
the innovaphone IP222 phone immediately. Remote code execution via this
security vulnerability may also be possible, but was not confirmed by
the SySS GmbH.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The SySS GmbH developed a proof-of-concept software tool for crashing
the innovaphone IP222 with a specially crafted SIP request by causing a
buffer overflow.

sip = (method +" sip:105@" + server + " SIP/2.0\r\n"
"To: <sip:" + server + ":5060>\r\n"
"Via: SIP/2.0/UDP " + <ATTACK> + " xxx;x:5060;branch=z9hG4bK00003510
00001\r\n"
"From: \x22xtestsip\x22<sip:" + server + "@dude>\r\n"
"Call-ID: 1@dude\r\n"
"CSeq: 1 " + method + "\r\n"
"Content-Length: 0\r\n\r\n")

The variable <ATTACK> must be replaced by a string which contains at
least 3878 characters. After transmitting this SIP request to the
innovaphone IP222, the VoIP phone will crash and restart immediately.
Remote code execution via this security vulnerability may also be
possible, but was not confirmed by the SySS GmbH.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to information by the innovaphone AG, the described security
issue has been fixed in software version v12r1 / v11r2sr11 / v10sr32.

Please contact the manufacturer for further information or support.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-03-04: Vulnerability reported to manufacturer
2016-03-09: Manufacturer acknowledges e-mail with SySS security advisory
and described the security issue as fixed
2016-03-24: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web Site for innovaphone IP222
https://www.innovaphone.com/en/ip-telefonie/ip-telefone/ip222.html
[2] SySS Security Advisory SYSS-2016-016
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-016.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sven Freund of the SySS GmbH.

E-Mail: sven.freund (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Sven_Freund.asc
Key fingerprint = DCDB 7627 C1E3 9CE8 62DF 2666 8A5F A853 415D 46DC

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJW86Z+AAoJEIpfqFNBXUbc2K8IAKmkXeBy3Bjv9bsm2wV3k+dv
+P3ZkUKnPL3cLq35oQMfBZnrkDsE5w45bVPtnhILfi+XrXIm19ntCVZpVt1q5jLH
XTxARgETAhUwTvPsoqEbLqUoqrbqIUGQd9lxca8aMX1RdAUdx7WuVHunjpgFxpIv
mccHTebYgGzE3aWuBFhnm2+RYK7kWIZf/X/F20ohk6kUfOA8HMAj4tSn9wxuR8Gv
2dCcONVlOzMZAucaQ/2LJhTHxwP52hbpFPNsZFXy5yKg7UtVIQ2fUohZgqSGWtsJ
1BZAIET+PYGkWxGxHj/a+Apl5kPOO/7Nu272FuZKr0gZcKZaqgwK1RcH/LJg5Go=
=g9z7
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close