Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration interface, which is enabled by default.
By making a single HTTP POST request all available memory (and CPU) can be exhausted, resulting in a reboot of the phone. This even works if the HTTP/HTTPS interface is protected by username and password (probably the credentials are checked a few more lines later when the complete request has been received). Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to test) Affected firmwares: latest stable, latest beta (most likely some others too) Workaround: Disable HTTP/HTTPS interface completely. Poc: dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE <http://ip_of_phone/> --data-binary @- P.S. Just if you are wondering.... I did not notify the vendor about this. Almost two years ago i reported multiple vulnerabilities directly to the vendor (including the possibility to install arbitrary software on the device), but not much has changed since then. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/