Linksys WIP 330 VoIP wireless phone crash from Nmap scan

2006.12.11

Credit: Shawn Merdinger (shawnmer gmail com)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2006-6411

CWE: CWE-Other

CVSS Base Score: 7.8/10

Impact Subscore: 6.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: None

Integrity impact: None

Availability impact: Complete

Vulnerability Description
==================
The Linksys WIP 330 VoIP wireless phone will crash when a full
port-range Nmap scan is run against its IP address.
Linksys WIP 330 Firmware Version
==========================
1.00.06A
Nmap scan command
================
nmap -P0 <WIP 330 ip address> -p 1-65535
Impact
=====
The crash is only after Nmap has finished. The Nmap scan also seems to
disrupt updating of the display as the clock is not updated. The crash
appears related to PhoneCtl.exe running on the phone's Windows CE 4.2
operating system.
Screenshot of the crash: http://www.flickr.com/photos/metalmijn/295348294/
Credit
====
Credit for discovering this vulnerability goes to Armijn Hemel

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Linksys WIP 330 VoIP wireless phone crash from Nmap scan

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.