ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] >>: PocketPC MMS - Remote Code Injection/Execution Vulnerabilityand Denial-of-Service



 

________________________________

ïÔ: Collin R. Mulliner [mailto:collin@xxxxxxxxxxxxxxx]
ïÔÐÒÁ×ÌÅÎÏ: ÷Ó, 31.12.2006 15:08
ëÏÍÕ: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
ôÅÍÁ: Re: PocketPC MMS - Remote Code Injection/Execution Vulnerabilityand 
Denial-of-Service



The proof-of-concept exploit was released at the 23rd Chaos
Communication Congress in Berlin, Germany

get the PoC and all required tools at: http://www.mulliner.org/pocketpc/

Collin

On Thu, 2006-08-10 at 11:28 -0700, Collin R. Mulliner wrote:
> Vulnerability Report
>
> -----------------------------
>
> Vendor:       Microsoft and ArcSoft
> Product:      PocketPC OS and MMS Composer
> Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
> Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
>               others)
> Architecture: ARM
>
> Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
>            others)
>
> Application:        MMS User Agent (Inbox application)
> Application binary: tmail.exe
>
> -----------------------------
>
> Reporter(s): Collin Mulliner <mulliner@xxxxxxxxxxx> (technical contact)
>              Prof. Giovanni Vigna <vigna@xxxxxxxxxxx>
>
> Affiliation:  Reliable Software Group, University of California Santa
> Barbara
>
> -----------------------------
>
> Executive Summary:
>  Multiple buffer overflows in MMS parsing code, allow
>  denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.
>
> -----------------------------
>
> Disclosure Time Line:
>  July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
>  July 19. 2006 : Reply by ArcSoft and Microsoft
>  Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
>  Aug. 04. 2006 : Public Disclosure at DEFCON-14
>
> -----------------------------
>
> BugFix:
>  BugFix is awaiting approval by OEMs
>
> -----------------------------
>
> Brief Technical Details:
>
>  1.0) UDP port 2948 open on all interfaces
>
>   Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
>   interface. This is unnecessary and can be used for Denial-of-Service
>   attacks.
>
>  -----------------------------
>
>  2.0) Multiple buffer overflows in MMS message parser
>
>   MMS Message parts:
>
>    2.1) M-Notification.ind
>    2.2) M-Retrieve.conf (Header)
>    2.3) M-Retrieve.conf (Body)
>    2.4) SMIL parser (Message display function)
>
>  -----------------------------
>
>  2.1) Parser for M-Notification.ind
>
>   Buffer overflows in handlers for the following header fields:
>
>    1) TransactionID
>    2) Subject
>    3) ContentLocation
>
>   Application crashes. Non-critical. Denial-of-Service attack possible.
>   Exploitable via UDP port 2948.
>      
>   Categorization: MEDIUM (denial-of-service via wireless LAN)
>
>   Exploit: Proof-of-Concept available (DoS)
>
>  -----------------------------
>
>  2.2) Parser for M-Retrieve.conf (Header)
>
>   Buffer overflows in handlers for the following header fields:
>
>    1) Subject
>    2) Content-Type (can overwrite return address on stack)
>    3) start-info parameter of content-type
>
>   Application crashes.
>      
>   Categorization: LOW (exploitation requires control of MMS
>                   infrastructure)
>
>  -----------------------------
>
>  2.3) Parser for M-Retrieve.conf (Body)
>
>   Buffer overflows in handlers for the following body fields:
>
>    Multi-Part Entry header:
>     1) Content-Type
>     2) Content-ID
>     3) ContentLocation
>
>   In all cases it is possible to overwrite the return address.
>      
>   Categorization: LOW (exploitation requires control of MMS
>                   infrastructure)
>
>  -----------------------------
>
>  2.4) Parser for SMIL (Message display function)
>
>   Transported in: M-Retrieve.conf body content
>
>   Buffer overflows in handlers for the following parameters:
>
>     1) ID parameter of REGION tag
>       ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
>       can be arbitrary long.
>
>     2) REGION parameter of TEXT tag
>       REGION="CONTENT" CONTENT is copied into stack-based variable,
>       CONTENT can be arbitrary long.
>
>   Both overflows allow one to overwrite the return address on the
>   stack. Both are exploitable and we were able to create a
>   proof-of-concept exploit. The exploit is triggered by viewing the
>   malicious MMS message (this is different from other exploits that
>   require substantial user interaction -- e.g., to install a program).
>
>   Overflow happens after 300 bytes in version 1.5.5.6 and after 400
>   bytes in version 2.0.0.13.
>
>   Categorization: CRITICAL (REMOTE CODE EXECUTION)
>
>   Exploit: Proof-of-Concept available (code execution)
>      
> -----------------------------
> 
> Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
> here:
>
>  http://www.mulliner.org/pocketpc/
>
>
--
Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@xxxxxxxxxxxxxxx
Forget object orientation!






 




Copyright © Lexa Software, 1996-2009.