The proof-of-concept exploit was released at the 23rd Chaos Communication Congress in Berlin, Germany get the PoC and all required tools at: http://www.mulliner.org/pocketpc/ Collin On Thu, 2006-08-10 at 11:28 -0700, Collin R. Mulliner wrote: > Vulnerability Report > > ----------------------------- > > Vendor: Microsoft and ArcSoft > Product: PocketPC OS and MMS Composer > Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others) > Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible > others) > Architecture: ARM > > Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible > others) > > Application: MMS User Agent (Inbox application) > Application binary: tmail.exe > > ----------------------------- > > Reporter(s): Collin Mulliner <mulliner@xxxxxxxxxxx> (technical contact) > Prof. Giovanni Vigna <vigna@xxxxxxxxxxx> > > Affiliation: Reliable Software Group, University of California Santa > Barbara > > ----------------------------- > > Executive Summary: > Multiple buffer overflows in MMS parsing code, allow > denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS. > > ----------------------------- > > Disclosure Time Line: > July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft > July 19. 2006 : Reply by ArcSoft and Microsoft > Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs > Aug. 04. 2006 : Public Disclosure at DEFCON-14 > > ----------------------------- > > BugFix: > BugFix is awaiting approval by OEMs > > ----------------------------- > > Brief Technical Details: > > 1.0) UDP port 2948 open on all interfaces > > Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi) > interface. This is unnecessary and can be used for Denial-of-Service > attacks. > > ----------------------------- > > 2.0) Multiple buffer overflows in MMS message parser > > MMS Message parts: > > 2.1) M-Notification.ind > 2.2) M-Retrieve.conf (Header) > 2.3) M-Retrieve.conf (Body) > 2.4) SMIL parser (Message display function) > > ----------------------------- > > 2.1) Parser for M-Notification.ind > > Buffer overflows in handlers for the following header fields: > > 1) TransactionID > 2) Subject > 3) ContentLocation > > Application crashes. Non-critical. Denial-of-Service attack possible. > Exploitable via UDP port 2948. > > Categorization: MEDIUM (denial-of-service via wireless LAN) > > Exploit: Proof-of-Concept available (DoS) > > ----------------------------- > > 2.2) Parser for M-Retrieve.conf (Header) > > Buffer overflows in handlers for the following header fields: > > 1) Subject > 2) Content-Type (can overwrite return address on stack) > 3) start-info parameter of content-type > > Application crashes. > > Categorization: LOW (exploitation requires control of MMS > infrastructure) > > ----------------------------- > > 2.3) Parser for M-Retrieve.conf (Body) > > Buffer overflows in handlers for the following body fields: > > Multi-Part Entry header: > 1) Content-Type > 2) Content-ID > 3) ContentLocation > > In all cases it is possible to overwrite the return address. > > Categorization: LOW (exploitation requires control of MMS > infrastructure) > > ----------------------------- > > 2.4) Parser for SMIL (Message display function) > > Transported in: M-Retrieve.conf body content > > Buffer overflows in handlers for the following parameters: > > 1) ID parameter of REGION tag > ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT > can be arbitrary long. > > 2) REGION parameter of TEXT tag > REGION="CONTENT" CONTENT is copied into stack-based variable, > CONTENT can be arbitrary long. > > Both overflows allow one to overwrite the return address on the > stack. Both are exploitable and we were able to create a > proof-of-concept exploit. The exploit is triggered by viewing the > malicious MMS message (this is different from other exploits that > require substantial user interaction -- e.g., to install a program). > > Overflow happens after 300 bytes in version 1.5.5.6 and after 400 > bytes in version 2.0.0.13. > > Categorization: CRITICAL (REMOTE CODE EXECUTION) > > Exploit: Proof-of-Concept available (code execution) > > ----------------------------- > > Related DEFCON-14 slides and Proof-of-Concept DoS tool are available > here: > > http://www.mulliner.org/pocketpc/ > > -- Collin R. Mulliner <collin@xxxxxxxxxxxxxxx> BETAVERSiON Systems [www.betaversion.net] info/pgp: finger collin@xxxxxxxxxxxxxxx Forget object orientation!
