-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Pingtel Xpressa Denial of Service
 Release Date: 09-13-2004
       Device: Xpressa phone (Model PX-1)
     Firmware: Core Apps: 2.1.11.24 Kernel: 2.1.11.24
     Severity: An attacker can cause the phone to fail.  A power
               cycle is required to restore functionality.
    Author(s): James Vaughan <jdv@atstake.com>
Vendor Status: Vendor has halted sales of device
CVE Candidate: CVE Candidate number applied for
    Reference: www.atstake.com/research/advisories/2004/a091304-2.txt


Overview:


Pingtel Corp. (http://www.pingtel.com/) is a leading independent
vendor of Session Initiation Protocol (SIP) products.  One of
Pingtel's flagship products was the Xpressa SIP desktop phone.  In
August, 2004 Pingtel ceased selling the Xpressa phone

@stake has discovered a vulnerability in the HTTP management
interface of the phone.  This could be used by an attack to deny
service to the handset by crashing the underlying VxWorks
operating system. 
   
  
Details:

The Pingtel Xpressa handset can be administered over a variety of
interfaces (console, telnet and http).  A vulnerability exists in
the HTTP server which enables a remote authenticated attack to
cause the underlying VxWorks operating system to stop.  A request
of the form:

GET /<buffer>/cgi/application.cgi HTTP/1.0
Authorization: Basic [base64authstring]

Where <buffer> is a string of 260 uppercase A will trigger the
DoS condition.

This issue has the potential for further exploitation within the
context of the VxWorks operating system.  However, this was not
investigated further due to the closed nature of the PingTel device.
Note that Pingtel is open sourcing the underlying software shortly.

Vendor Response:

09-08-2004 @stake attempts vendor contacted via email
09-10-2004 @stake re-attempts vendor contacted via email
09-10-2004 Vendor responds that sales of device halted
09-13-2004 Advisory released


email to @stake from Pingtel:

"Pingtel will no longer market the xpressa desktop IP phone. Pingtel
will continue to sell its industry leading SIP Softphone, and will
continue to support its existing xpressa desktop phone customers who
are on an active Warranty or Maintenance Plans."


Recommendation:

The threat of this vulnerability can be mitigated by disabling the
HTTP management interface on the Xpressa handset.

More|Apps|Prefs|myxpressa web|<enter password>|

and unchecking "Enable Web Server".  This change requires you to
reboot your phone.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-XXXX PingTel Xpressa Denial of Service


@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive: 
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQUXnyke9kNIfAm4yEQKQ+ACfba3yL2wtwN3ma3SL/rsLXEJEz1AAoNSw
lmdWLNMqScQ3QOT3z2rr5Qlg
=wSEZ
-----END PGP SIGNATURE-----