Hello, I'll just leave this here ;) https://www.sec-consult.com/files/SEC_Consult_Vulnerability_Lab_Pwning_Symbian_V1.03_PUBLIC.pdf Abstract: 1. Perform static analysis of XIP ROM images (dumping, restoring import and export tables, searching for unsafe function calls) 2. Enable run mode debugging of system binaries running from ROM, by cracking the AppTRK debug agent 3. (Ab-)use the AppTRK debug agent as a foundation for dynamic vulnerability analysis 3. Build an exemplary file fuzzer for the video- and audio codecs shipped with current Nokia smartphones 4. List and briefly analyze the identified bugs 5. Discuss further ideas and concepts, such as jailbreak shellcode, and an IRC bot trojan for Symbian We aim to show that it is possible to find and exploit bugs on Symbian smartphones, even in preinstalled system applications, without having access to special development hardware, and that exploits and worms similar to those found on desktop systems may be possible on Symbian. The bugs listed in this paper have been sent to Nokia and are currently under review. Mobile phone manufacturers should be aware that remote vulnerabilities of the kind discussed in this paper could be used in targeted attacks to remotely compromise a smartphone (track GPS, turn on mic, etc.), or as a means of propagation for mobile network worms. -- _________________________________________ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile +43 676 840301 718 email b.mueller@xxxxxxxxxxxxxxx Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security.
