Home page logo
/

bugtraq logo Bugtraq mailing list archives

Another thingy.
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Thu, 28 Sep 2000 18:32:34 +0200

-- Standard disclaimer applies. I am speaking as a private person,
-- and doing it in completely informal way, which shouldn't be interpreted
-- in any other way but as my personal opinions and beliefs, which don't have
-- to be true.

Another thing to add to "commercial products security" thread. During
routine checks, we have discovered ugly security hole in awarded Siemens
HiNet LP5100 IP-phone. This problem has been, of course, reported to
vendor.

Another time, this problem is not related to Siemens - and I'm not trying
to depreciate their products - especially I've seen such really trivial
and obvious remote hole so many times (eg. in Novell Netware solutions -
the hole, in fact, was completely the same; numerous nasty holes were
found in WAP mobile phones made by Nokia; and so on). I still wonder when
major companies - especially if they haven't much to do with TCP/IP
internetworking security earlier - will learn to think about security.
Leaving such obvious holes is not a result of overlook, but lack of
interest. They are introducing more and more advanced, but everyday use
solutions, which make our lives even more dependent on networked
machines... If they won't learn it really quick, and if security will be
still ignored... well, guess: what the next Worm will attack?

Product: Siemens HiNet LP 5100 IP-phone

Service: http mini-administration service (on port 80); open on every
         IP-phone of this kind

Problem: it is vulnerable to buffer overflow in GET request; with large
         request size, it is possible to cause partial or complete crash
         of phone services; in general, requests between 100 and 300 bytes
         have unpredictable results; request above 500 bytes cause
         complete crash and will require power off / on.

Of course, except DoSing the phone, someone experienced with hardware
architecture and firmware of this machine, can try to exploit this
overflow. Even in protected LANs, it's at least alarming if any network
user can attack phone or even modify it's software (to intercept calls,
for example).

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=


  By Date           By Thread  

Current thread:
  • Another thingy. Michal Zalewski (Sep 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]