HTC HyTN using Windows Mobile 5 PPC and AGEPhone SIP soft phone are vulnerable to malformed SIP message

Overview

AGEPhone installed on Pocket PC running Windows Mobile 5 operating system is vulnerable to specially crafted malformed SIP message sent over WLAN connection potentially causing currently active call to get disconnected. Additionally, phone’s operating system may freeze in some cases.

Impact

Successful exploitation of this vulnerability during an active call drops the call and may freeze the operating system. Operating system may also freeze when this malformed message is sent to the phone after user hangs up a legitimate call. The later case has more impact since the phone freezes without the user’s knowledge unless he/she tries to use the phone. User cannot make or receive calls unless the phone is rebooted.

Description

AGEPhone, which is a popular SIP client for Windows Mobile 5 pocket PC operating system, is vulnerable to malformed SIP header. An attacker can send a specially crafted SIP message with a malformed header which causes the AGEPhone soft phone to exit abnormally and may also cause operating system freeze in some phones. This malformed message may cause the audio for currently active call to vanish. If the operating system freezes, the only way to recover from this state is to reboot the phone.

Solution

AGEPhone SIP parser implementation should be patched to check header for malformed headers. A deep packet inspection device can also be used to detect and drop malformed SIP messages before passing them to the phone.

Vendor Response:

ageet Corporation: The vulnerability has been fixed in AGEphone version 1.62 which was released on 16/03/2007 on the vendor's page: http://www.ageet.com/us/download.htm. Users are advised to update to version 1.62 or later.

Microsoft: Windows Mobile code is not vulnerable

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com