________________________________
ïÔ: Collin R. Mulliner [mailto:collin@xxxxxxxxxxxxxxx]
ïÔÐÒÁ×ÌÅÎÏ: ÷Ó, 31.12.2006 15:08
ëÏÍÕ: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
ôÅÍÁ: Re: PocketPC MMS - Remote Code Injection/Execution Vulnerabilityand
Denial-of-Service
The proof-of-concept exploit was released at the 23rd Chaos
Communication Congress in Berlin, Germany
get the PoC and all required tools at: http://www.mulliner.org/pocketpc/
Collin
On Thu, 2006-08-10 at 11:28 -0700, Collin R. Mulliner wrote:
> Vulnerability Report
>
> -----------------------------
>
> Vendor: Microsoft and ArcSoft
> Product: PocketPC OS and MMS Composer
> Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
> Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
> others)
> Architecture: ARM
>
> Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
> others)
>
> Application: MMS User Agent (Inbox application)
> Application binary: tmail.exe
>
> -----------------------------
>
> Reporter(s): Collin Mulliner <mulliner@xxxxxxxxxxx> (technical contact)
> Prof. Giovanni Vigna <vigna@xxxxxxxxxxx>
>
> Affiliation: Reliable Software Group, University of California Santa
> Barbara
>
> -----------------------------
>
> Executive Summary:
> Multiple buffer overflows in MMS parsing code, allow
> denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.
>
> -----------------------------
>
> Disclosure Time Line:
> July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
> July 19. 2006 : Reply by ArcSoft and Microsoft
> Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
> Aug. 04. 2006 : Public Disclosure at DEFCON-14
>
> -----------------------------
>
> BugFix:
> BugFix is awaiting approval by OEMs
>
> -----------------------------
>
> Brief Technical Details:
>
> 1.0) UDP port 2948 open on all interfaces
>
> Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
> interface. This is unnecessary and can be used for Denial-of-Service
> attacks.
>
> -----------------------------
>
> 2.0) Multiple buffer overflows in MMS message parser
>
> MMS Message parts:
>
> 2.1) M-Notification.ind
> 2.2) M-Retrieve.conf (Header)
> 2.3) M-Retrieve.conf (Body)
> 2.4) SMIL parser (Message display function)
>
> -----------------------------
>
> 2.1) Parser for M-Notification.ind
>
> Buffer overflows in handlers for the following header fields:
>
> 1) TransactionID
> 2) Subject
> 3) ContentLocation
>
> Application crashes. Non-critical. Denial-of-Service attack possible.
> Exploitable via UDP port 2948.
>
> Categorization: MEDIUM (denial-of-service via wireless LAN)
>
> Exploit: Proof-of-Concept available (DoS)
>
> -----------------------------
>
> 2.2) Parser for M-Retrieve.conf (Header)
>
> Buffer overflows in handlers for the following header fields:
>
> 1) Subject
> 2) Content-Type (can overwrite return address on stack)
> 3) start-info parameter of content-type
>
> Application crashes.
>
> Categorization: LOW (exploitation requires control of MMS
> infrastructure)
>
> -----------------------------
>
> 2.3) Parser for M-Retrieve.conf (Body)
>
> Buffer overflows in handlers for the following body fields:
>
> Multi-Part Entry header:
> 1) Content-Type
> 2) Content-ID
> 3) ContentLocation
>
> In all cases it is possible to overwrite the return address.
>
> Categorization: LOW (exploitation requires control of MMS
> infrastructure)
>
> -----------------------------
>
> 2.4) Parser for SMIL (Message display function)
>
> Transported in: M-Retrieve.conf body content
>
> Buffer overflows in handlers for the following parameters:
>
> 1) ID parameter of REGION tag
> ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
> can be arbitrary long.
>
> 2) REGION parameter of TEXT tag
> REGION="CONTENT" CONTENT is copied into stack-based variable,
> CONTENT can be arbitrary long.
>
> Both overflows allow one to overwrite the return address on the
> stack. Both are exploitable and we were able to create a
> proof-of-concept exploit. The exploit is triggered by viewing the
> malicious MMS message (this is different from other exploits that
> require substantial user interaction -- e.g., to install a program).
>
> Overflow happens after 300 bytes in version 1.5.5.6 and after 400
> bytes in version 2.0.0.13.
>
> Categorization: CRITICAL (REMOTE CODE EXECUTION)
>
> Exploit: Proof-of-Concept available (code execution)
>
> -----------------------------
>
> Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
> here:
>
> http://www.mulliner.org/pocketpc/
>
>
--
Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@xxxxxxxxxxxxxxx
Forget object orientation!