Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Linksys WIP 330 VoIP wireless phone crash from Nmap scan
From: "Shawn Merdinger" <shawnmer () gmail com>
Date: Sat, 9 Dec 2006 13:09:51 -0800

Hi,

Yup, if one has the phone and cares to give free vendor QA that's a
tactic to consider.  As you know, determining the *exact* cause of the
crash can be a tricky thing.  For instance, the Milw0rm SYN flood
exploit that targeted port 80 on the Cisco 7940 seemed to hose the web
server, which then then crashed the phone -- but it was actually a
lower-level stack issue.

http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml

Also, since we're talking about a VoIP device here, getting into some
of the more opensource VOIP-specific tools available can also be
tricky determining the root-cause, especially from different manners
of tool runs and packet sequences.  For example, from the the Asteroid
SIP DoS tool README at
http://infiltrated.net/asteroid/asteroidv1.tar.gz

<snip>

Anyhow, I have found that by sending a certain sequence of these
packets, in a certain order, servers react differently. Sometimes it
will crash faster, sometimes more extensions are subscribe, etc, etc.
I will not post any sequencing until vendors have patched their
programs against this lame attack but, I will release the packet
samples I've been working with.

</snip>

Thanks,
--scm

On 12/9/06, Collin R. Mulliner <collin () betaversion net> wrote:
what about doing some investigation? Like figuring out which protocol
and port the crash relates to. Then send some "random" stuff to that
port and see what happens. You could find some real interesting stuff...

see http://www.mulliner.org/pocketpc/

Collin

On Wed, 2006-12-06 at 10:40 -0800, Shawn Merdinger wrote:
Vulnerability Description
==================
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP address.


Linksys WIP 330 Firmware Version
==========================
1.00.06A


Nmap scan command
================
nmap -P0 <WIP 330 ip address> -p 1-65535


Impact
=====
The crash is only after Nmap has finished. The Nmap scan also seems to
disrupt updating of the display as the clock is not updated. The crash
appears related to PhoneCtl.exe running on the phone's Windows CE 4.2
operating system.

Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/


Credit
====
Credit for discovering this vulnerability goes to Armijn Hemel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Collin R. Mulliner <collin () betaversion net>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin () betaversion net
USS Enterprise Bumperstricker: Our other starship separates into 3
pieces!



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault