R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Friday, 24th October 2014 @ 19:00:41 GMT 
Reports | Grandstream BudgeTone-100 series VOIP SIP Phone multiple DOS vulnerabilities
{23rd Mar 2004}
Known to be affected: Two Grandstream BudgeTone 102 phones running firmware version (latest).

Vendor has verified issue 2, only (software versions affected were not stated), and is currently working on a fix (02/02/04).

The Grandstream BudgeTone-100 series are voice over internet protocol telephones supporting the widely used SIP standard, at an "ultra-affordable price".

Two separate vulnerabilities have been identified which require the phone is power cycled to resume normal operation.
  • Issue 1 - Sending of an incomplete SIP request on port 5060 causes the phone to make "electronic" noises and the screen display to become corrupt before locking up.
  • Issue 2 - Connecting to port 80 over UDP causes the phone to lockup in its current state.
Perl ‘proof of concept' code is available.

Phones tested were running:

Firmware version came pre-loaded when purchased, version believed to be the latest stable release is only vulnerable to issue 2.
[Vendor website]