lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1155234498.18264.45.camel@panic>
Date: Thu, 10 Aug 2006 11:28:18 -0700
From: "Collin R. Mulliner" <collin@...aversion.net>
To: bugtraq@...urityfocus.com
Subject: PocketPC MMS - Remote Code Injection/Execution Vulnerability and
	Denial-of-Service

Vulnerability Report

-----------------------------

Vendor:       Microsoft and ArcSoft
Product:      PocketPC OS and MMS Composer
Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
              others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible 
           others)

Application:        MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner@...ucsb.edu> (technical contact)
             Prof. Giovanni Vigna <vigna@...ucsb.edu>

Affiliation:  Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
 Multiple buffer overflows in MMS parsing code, allow 
 denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
 July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
 July 19. 2006 : Reply by ArcSoft and Microsoft
 Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
 Aug. 04. 2006 : Public Disclosure at DEFCON-14 

-----------------------------

BugFix:
 BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

 1.0) UDP port 2948 open on all interfaces

  Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
  interface. This is unnecessary and can be used for Denial-of-Service 
  attacks.

 -----------------------------

 2.0) Multiple buffer overflows in MMS message parser

  MMS Message parts:

   2.1) M-Notification.ind
   2.2) M-Retrieve.conf (Header)
   2.3) M-Retrieve.conf (Body)
   2.4) SMIL parser (Message display function)

 -----------------------------

 2.1) Parser for M-Notification.ind

  Buffer overflows in handlers for the following header fields:

   1) TransactionID
   2) Subject
   3) ContentLocation

  Application crashes. Non-critical. Denial-of-Service attack possible. 
  Exploitable via UDP port 2948.
	
  Categorization: MEDIUM (denial-of-service via wireless LAN)

  Exploit: Proof-of-Concept available (DoS)

 -----------------------------

 2.2) Parser for M-Retrieve.conf (Header)

  Buffer overflows in handlers for the following header fields:

   1) Subject
   2) Content-Type (can overwrite return address on stack)
   3) start-info parameter of content-type

  Application crashes.
	
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.3) Parser for M-Retrieve.conf (Body)

  Buffer overflows in handlers for the following body fields:

   Multi-Part Entry header:
    1) Content-Type
    2) Content-ID
    3) ContentLocation

  In all cases it is possible to overwrite the return address.
	
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.4) Parser for SMIL (Message display function) 

  Transported in: M-Retrieve.conf body content

  Buffer overflows in handlers for the following parameters:

    1) ID parameter of REGION tag
      ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT 
      can be arbitrary long. 

    2) REGION parameter of TEXT tag
      REGION="CONTENT" CONTENT is copied into stack-based variable, 
      CONTENT can be arbitrary long.

  Both overflows allow one to overwrite the return address on the 
  stack. Both are exploitable and we were able to create a 
  proof-of-concept exploit. The exploit is triggered by viewing the 
  malicious MMS message (this is different from other exploits that 
  require substantial user interaction -- e.g., to install a program).

  Overflow happens after 300 bytes in version 1.5.5.6 and after 400 
  bytes in version 2.0.0.13.

  Categorization: CRITICAL (REMOTE CODE EXECUTION)

  Exploit: Proof-of-Concept available (code execution)
	
-----------------------------
 
Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

 http://www.mulliner.org/pocketpc/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ