BugTraq
PocketPC MMS - Remote Code Injection/Execution Vulnerability andDenial-of-Service Aug 10 2006 06:28PM
Collin R. Mulliner (collin betaversion net) (1 replies)
Vulnerability Report

-----------------------------

Vendor: Microsoft and ArcSoft
Product: PocketPC OS and MMS Composer
Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
others)

Application: MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner (at) cs.ucsb (dot) edu [email concealed]> (technical contact)
Prof. Giovanni Vigna <vigna (at) cs.ucsb (dot) edu [email concealed]>

Affiliation: Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
Multiple buffer overflows in MMS parsing code, allow
denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
July 19. 2006 : Reply by ArcSoft and Microsoft
Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
Aug. 04. 2006 : Public Disclosure at DEFCON-14

-----------------------------

BugFix:
BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

1.0) UDP port 2948 open on all interfaces

Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
interface. This is unnecessary and can be used for Denial-of-Service
attacks.

-----------------------------

2.0) Multiple buffer overflows in MMS message parser

MMS Message parts:

2.1) M-Notification.ind
2.2) M-Retrieve.conf (Header)
2.3) M-Retrieve.conf (Body)
2.4) SMIL parser (Message display function)

-----------------------------

2.1) Parser for M-Notification.ind

Buffer overflows in handlers for the following header fields:

1) TransactionID
2) Subject
3) ContentLocation

Application crashes. Non-critical. Denial-of-Service attack possible.
Exploitable via UDP port 2948.

Categorization: MEDIUM (denial-of-service via wireless LAN)

Exploit: Proof-of-Concept available (DoS)

-----------------------------

2.2) Parser for M-Retrieve.conf (Header)

Buffer overflows in handlers for the following header fields:

1) Subject
2) Content-Type (can overwrite return address on stack)
3) start-info parameter of content-type

Application crashes.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.3) Parser for M-Retrieve.conf (Body)

Buffer overflows in handlers for the following body fields:

Multi-Part Entry header:
1) Content-Type
2) Content-ID
3) ContentLocation

In all cases it is possible to overwrite the return address.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.4) Parser for SMIL (Message display function)

Transported in: M-Retrieve.conf body content

Buffer overflows in handlers for the following parameters:

1) ID parameter of REGION tag
ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
can be arbitrary long.

2) REGION parameter of TEXT tag
REGION="CONTENT" CONTENT is copied into stack-based variable,
CONTENT can be arbitrary long.

Both overflows allow one to overwrite the return address on the
stack. Both are exploitable and we were able to create a
proof-of-concept exploit. The exploit is triggered by viewing the
malicious MMS message (this is different from other exploits that
require substantial user interaction -- e.g., to install a program).

Overflow happens after 300 bytes in version 1.5.5.6 and after 400
bytes in version 2.0.0.13.

Categorization: CRITICAL (REMOTE CODE EXECUTION)

Exploit: Proof-of-Concept available (code execution)

-----------------------------

Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

http://www.mulliner.org/pocketpc/

[ reply ]
Re: PocketPC MMS - Remote Code Injection/Execution Vulnerabilityand Denial-of-Service Dec 31 2006 12:08PM
Collin R. Mulliner (collin betaversion net)


 

Privacy Statement
Copyright 2010, SecurityFocus