Vulnerability

    Siemens HiNet LP5100 IP-phone

Affected

    Siemens HiNet LP5100 IP-phone

Description

    Michal Zalewski found  following.  During  routine checks, he  has
    discovered  ugly  security  hole  in  awarded Siemens HiNet LP5100
    IP-phone.

    This problem  is not  related to  Siemens.   There is service http
    mini-administration service (on port  80); open on every  IP-phone
    of this kind.

    This product is vulnerable to buffer overflow in GET request; with
    large request size,  it is possible  to cause partial  or complete
    crash of phone services; in general, requests between 100 and  300
    bytes have  unpredictable results;  request above  500 bytes cause
    complete crash and will require power off / on.

    Of  course,  except  DoSing  the  phone,  someone experienced with
    hardware architecture  and firmware  of this  machine, can  try to
    exploit this  overflow.   Even in  protected LANs,  it's at  least
    alarming if any network user can attack phone or even modify  it's
    software (to intercept calls, for example).

Solution

    This problem has been, of course, reported to vendor.