[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Another thingy.
From:       Michal Zalewski <lcamtuf () DIONE ! IDS ! PL>
Date:       2000-09-28 16:32:34
[Download RAW message or body]

-- Standard disclaimer applies. I am speaking as a private person,
-- and doing it in completely informal way, which shouldn't be interpreted
-- in any other way but as my personal opinions and beliefs, which don't have
-- to be true.

Another thing to add to "commercial products security" thread. During
routine checks, we have discovered ugly security hole in awarded Siemens
HiNet LP5100 IP-phone. This problem has been, of course, reported to
vendor.

Another time, this problem is not related to Siemens - and I'm not trying
to depreciate their products - especially I've seen such really trivial
and obvious remote hole so many times (eg. in Novell Netware solutions -
the hole, in fact, was completely the same; numerous nasty holes were
found in WAP mobile phones made by Nokia; and so on). I still wonder when
major companies - especially if they haven't much to do with TCP/IP
internetworking security earlier - will learn to think about security.
Leaving such obvious holes is not a result of overlook, but lack of
interest. They are introducing more and more advanced, but everyday use
solutions, which make our lives even more dependent on networked
machines... If they won't learn it really quick, and if security will be
still ignored... well, guess: what the next Worm will attack?

Product: Siemens HiNet LP 5100 IP-phone

Service: http mini-administration service (on port 80); open on every
         IP-phone of this kind

Problem: it is vulnerable to buffer overflow in GET request; with large
         request size, it is possible to cause partial or complete crash
         of phone services; in general, requests between 100 and 300 bytes
         have unpredictable results; request above 500 bytes cause
         complete crash and will require power off / on.

Of course, except DoSing the phone, someone experienced with hardware
architecture and firmware of this machine, can try to exploit this
overflow. Even in protected LANs, it's at least alarming if any network
user can attack phone or even modify it's software (to intercept calls,
for example).

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

[prev in list] [next in list] [prev in thread] [next in thread]