Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] PocketPC MMS - Remote Code Injection/Execution Vul

from [Collin R. Mulliner] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service
Date: Sun, 31 Dec 2006 13:08:10 +0100 
The proof-of-concept exploit was released at the 23rd Chaos
Communication Congress in Berlin, Germany

get the PoC and all required tools at: http://www.mulliner.org/pocketpc/

Collin

On Thu, 2006-08-10 at 11:28 -0700, Collin R. Mulliner wrote:

Vulnerability Report

-----------------------------

Vendor:       Microsoft and ArcSoft
Product:      PocketPC OS and MMS Composer
Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
              others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible 
           others)

Application:        MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner@cs.ucsb.edu> (technical contact)
             Prof. Giovanni Vigna <vigna@cs.ucsb.edu>

Affiliation:  Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
 Multiple buffer overflows in MMS parsing code, allow 
 denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
 July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
 July 19. 2006 : Reply by ArcSoft and Microsoft
 Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
 Aug. 04. 2006 : Public Disclosure at DEFCON-14 

-----------------------------

BugFix:
 BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

 1.0) UDP port 2948 open on all interfaces

  Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
  interface. This is unnecessary and can be used for Denial-of-Service 
  attacks.

 -----------------------------

 2.0) Multiple buffer overflows in MMS message parser

  MMS Message parts:

   2.1) M-Notification.ind
   2.2) M-Retrieve.conf (Header)
   2.3) M-Retrieve.conf (Body)
   2.4) SMIL parser (Message display function)

 -----------------------------

 2.1) Parser for M-Notification.ind

  Buffer overflows in handlers for the following header fields:

   1) TransactionID
   2) Subject
   3) ContentLocation

  Application crashes. Non-critical. Denial-of-Service attack possible. 
  Exploitable via UDP port 2948.
      
  Categorization: MEDIUM (denial-of-service via wireless LAN)

  Exploit: Proof-of-Concept available (DoS)

 -----------------------------

 2.2) Parser for M-Retrieve.conf (Header)

  Buffer overflows in handlers for the following header fields:

   1) Subject
   2) Content-Type (can overwrite return address on stack)
   3) start-info parameter of content-type

  Application crashes.
      
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.3) Parser for M-Retrieve.conf (Body)

  Buffer overflows in handlers for the following body fields:

   Multi-Part Entry header:
    1) Content-Type
    2) Content-ID
    3) ContentLocation

  In all cases it is possible to overwrite the return address.
      
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.4) Parser for SMIL (Message display function) 

  Transported in: M-Retrieve.conf body content

  Buffer overflows in handlers for the following parameters:

    1) ID parameter of REGION tag
      ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT 
      can be arbitrary long. 

    2) REGION parameter of TEXT tag
      REGION="CONTENT" CONTENT is copied into stack-based variable, 
      CONTENT can be arbitrary long.

  Both overflows allow one to overwrite the return address on the 
  stack. Both are exploitable and we were able to create a 
  proof-of-concept exploit. The exploit is triggered by viewing the 
  malicious MMS message (this is different from other exploits that 
  require substantial user interaction -- e.g., to install a program).

  Overflow happens after 300 bytes in version 1.5.5.6 and after 400 
  bytes in version 2.0.0.13.

  Categorization: CRITICAL (REMOTE CODE EXECUTION)

  Exploit: Proof-of-Concept available (code execution)
      
-----------------------------
 
Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

 http://www.mulliner.org/pocketpc/



--
Collin R. Mulliner <collin@betaversion.net>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@betaversion.net
Forget object orientation!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Full-disclosure] PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service, Collin R. Mulliner <=
Previous by Date:  Enigma WordPress Bridge (boarddir) Remote File Include, xorontr
Previous by Thread:  Enigma WordPress Bridge (boarddir) Remote File Include, xorontr
Indexes:  [Date] [Thread] [Top] [All Lists]