Grandstream Budge Tone 101/102 DoS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Grandstream Budge Tone 101/102 DoS Vulnerability
From: Kroma Pierre <kroma@xxxxxxx>
Date: Fri, 12 Aug 2005 14:27:05 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: SySS GmbH

- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------

Problem discovered:             July    20th 2005
Vendor contacted:               July    21th 2005
Advisory will published on:     August  12th 2005

AUTHOR:         Pierre Kroma (kroma@xxxxxxx)
                SySS GmbH
                72070 Tuebingen / Germany
                Tel.: +49-7071-407856-0
Key fingerprint = 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

DEVICE:                 Grandstream Budge Tone-101
                        Grandstream Budge Tone-102
AFFECTED VERSIONS:      perhaps all(?) <= 1.0.6.7 (firmware 1.0.6.7 tested)

EXPLOIT:                attached
VENDOR STATUS:          informed
SEVERITY:               medium
Remotely exploitable:   yes

DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes 
to port 5060 the device stops working:

- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.

To solve the problem, you must switch the phone off and on again.

If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.

############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@xxxxxxx)

ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=250 time=0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=250 time=0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3 ttl=250 time=0.404 ms

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.404/0.429/0.479/0.042 ms

Wait ...

ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################

Attachment: grandstream-DoS.pl
Description: Perl program

Attachment: pgpW7Wwlt4ssc.pgp
Description: PGP signature

Prev by Date: Bluetooth: Theft of Link Keys for Fun and Profit?
Next by Date: [USN-168-1] Gaim vulnerabilities
Previous by thread: Bluetooth: Theft of Link Keys for Fun and Profit?
Next by thread: [USN-168-1] Gaim vulnerabilities
Index(es):
- Date
- Thread