From: Michal Zalewski Subject: Another thingy. To: BUGTRAQ@SECURITYFOCUS.COM -- Standard disclaimer applies. I am speaking as a private person, -- and doing it in completely informal way, which shouldn't be interpreted -- in any other way but as my personal opinions and beliefs, which don't have -- to be true. Another thing to add to "commercial products security" thread. During routine checks, we have discovered ugly security hole in awarded Siemens HiNet LP5100 IP-phone. This problem has been, of course, reported to vendor. Another time, this problem is not related to Siemens - and I'm not trying to depreciate their products - especially I've seen such really trivial and obvious remote hole so many times (eg. in Novell Netware solutions - the hole, in fact, was completely the same; numerous nasty holes were found in WAP mobile phones made by Nokia; and so on). I still wonder when major companies - especially if they haven't much to do with TCP/IP internetworking security earlier - will learn to think about security. Leaving such obvious holes is not a result of overlook, but lack of interest. They are introducing more and more advanced, but everyday use solutions, which make our lives even more dependent on networked machines... If they won't learn it really quick, and if security will be still ignored... well, guess: what the next Worm will attack? Product: Siemens HiNet LP 5100 IP-phone Service: http mini-administration service (on port 80); open on every IP-phone of this kind Problem: it is vulnerable to buffer overflow in GET request; with large request size, it is possible to cause partial or complete crash of phone services; in general, requests between 100 and 300 bytes have unpredictable results; request above 500 bytes cause complete crash and will require power off / on. Of course, except DoSing the phone, someone experienced with hardware architecture and firmware of this machine, can try to exploit this overflow. Even in protected LANs, it's at least alarming if any network user can attack phone or even modify it's software (to intercept calls, for example). _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=