The Siemens HiNet LP 5100 IP-phone is vulnerable to a buffer overflow when the GET request method is used with a large request size. Vulnerability can lead to a partial or complete crash of phone services.
c2c3fa55e9b3b0ea73526601681a57f6551de6e2ac82d72450d780945bdf8d14From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Subject: Another thingy.
To: BUGTRAQ@SECURITYFOCUS.COM
-- Standard disclaimer applies. I am speaking as a private person,
-- and doing it in completely informal way, which shouldn't be interpreted
-- in any other way but as my personal opinions and beliefs, which don't have
-- to be true.
Another thing to add to "commercial products security" thread. During
routine checks, we have discovered ugly security hole in awarded Siemens
HiNet LP5100 IP-phone. This problem has been, of course, reported to
vendor.
Another time, this problem is not related to Siemens - and I'm not trying
to depreciate their products - especially I've seen such really trivial
and obvious remote hole so many times (eg. in Novell Netware solutions -
the hole, in fact, was completely the same; numerous nasty holes were
found in WAP mobile phones made by Nokia; and so on). I still wonder when
major companies - especially if they haven't much to do with TCP/IP
internetworking security earlier - will learn to think about security.
Leaving such obvious holes is not a result of overlook, but lack of
interest. They are introducing more and more advanced, but everyday use
solutions, which make our lives even more dependent on networked
machines... If they won't learn it really quick, and if security will be
still ignored... well, guess: what the next Worm will attack?
Product: Siemens HiNet LP 5100 IP-phone
Service: http mini-administration service (on port 80); open on every
IP-phone of this kind
Problem: it is vulnerable to buffer overflow in GET request; with large
request size, it is possible to cause partial or complete crash
of phone services; in general, requests between 100 and 300 bytes
have unpredictable results; request above 500 bytes cause
complete crash and will require power off / on.
Of course, except DoSing the phone, someone experienced with hardware
architecture and firmware of this machine, can try to exploit this
overflow. Even in protected LANs, it's at least alarming if any network
user can attack phone or even modify it's software (to intercept calls,
for example).
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed