Snom SIP phones ( have a builtin HTTP/HTTPS configuration
interface, which is enabled by default.

By making a single HTTP POST request all available memory (and CPU) can be
exhausted, resulting in a reboot of the phone.
This even works if the HTTP/HTTPS interface is protected by username and
password (probably the credentials are checked a few more lines later when
the complete request has been received).

Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to
Affected firmwares: latest stable, latest beta (most likely some others too)
Workaround: Disable HTTP/HTTPS interface completely.


dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE
<http://ip_of_phone/> --data-binary @-

P.S. Just if you are wondering.... I did not notify the vendor about this.
Almost two years ago i reported multiple vulnerabilities directly to the
vendor (including the possibility to install arbitrary software on the
device), but not much has changed since then.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Reply via email to