Re: PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service
From: "Collin R. Mulliner" <collin@xxxxxxxxxxxxxxx>
Date: Sun, 31 Dec 2006 13:08:10 +0100
In-reply-to: <1155234498.18264.45.camel@panic>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: BETAVERSiON Systems
References: <1155234498.18264.45.camel@panic>

The proof-of-concept exploit was released at the 23rd Chaos
Communication Congress in Berlin, Germany

get the PoC and all required tools at: http://www.mulliner.org/pocketpc/

Collin

On Thu, 2006-08-10 at 11:28 -0700, Collin R. Mulliner wrote:
> Vulnerability Report
> 
> -----------------------------
> 
> Vendor:       Microsoft and ArcSoft
> Product:      PocketPC OS and MMS Composer
> Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
> Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
>               others)
> Architecture: ARM
> 
> Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible 
>            others)
> 
> Application:        MMS User Agent (Inbox application)
> Application binary: tmail.exe
> 
> -----------------------------
> 
> Reporter(s): Collin Mulliner <mulliner@xxxxxxxxxxx> (technical contact)
>              Prof. Giovanni Vigna <vigna@xxxxxxxxxxx>
> 
> Affiliation:  Reliable Software Group, University of California Santa
> Barbara
> 
> -----------------------------
> 
> Executive Summary:
>  Multiple buffer overflows in MMS parsing code, allow 
>  denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.
> 
> -----------------------------
> 
> Disclosure Time Line:
>  July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
>  July 19. 2006 : Reply by ArcSoft and Microsoft
>  Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
>  Aug. 04. 2006 : Public Disclosure at DEFCON-14 
> 
> -----------------------------
> 
> BugFix:
>  BugFix is awaiting approval by OEMs
> 
> -----------------------------
> 
> Brief Technical Details:
> 
>  1.0) UDP port 2948 open on all interfaces
> 
>   Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
>   interface. This is unnecessary and can be used for Denial-of-Service 
>   attacks.
> 
>  -----------------------------
> 
>  2.0) Multiple buffer overflows in MMS message parser
> 
>   MMS Message parts:
> 
>    2.1) M-Notification.ind
>    2.2) M-Retrieve.conf (Header)
>    2.3) M-Retrieve.conf (Body)
>    2.4) SMIL parser (Message display function)
> 
>  -----------------------------
> 
>  2.1) Parser for M-Notification.ind
> 
>   Buffer overflows in handlers for the following header fields:
> 
>    1) TransactionID
>    2) Subject
>    3) ContentLocation
> 
>   Application crashes. Non-critical. Denial-of-Service attack possible. 
>   Exploitable via UDP port 2948.
>       
>   Categorization: MEDIUM (denial-of-service via wireless LAN)
> 
>   Exploit: Proof-of-Concept available (DoS)
> 
>  -----------------------------
> 
>  2.2) Parser for M-Retrieve.conf (Header)
> 
>   Buffer overflows in handlers for the following header fields:
> 
>    1) Subject
>    2) Content-Type (can overwrite return address on stack)
>    3) start-info parameter of content-type
> 
>   Application crashes.
>       
>   Categorization: LOW (exploitation requires control of MMS 
>                   infrastructure)
> 
>  -----------------------------
> 
>  2.3) Parser for M-Retrieve.conf (Body)
> 
>   Buffer overflows in handlers for the following body fields:
> 
>    Multi-Part Entry header:
>     1) Content-Type
>     2) Content-ID
>     3) ContentLocation
> 
>   In all cases it is possible to overwrite the return address.
>       
>   Categorization: LOW (exploitation requires control of MMS 
>                   infrastructure)
> 
>  -----------------------------
> 
>  2.4) Parser for SMIL (Message display function) 
> 
>   Transported in: M-Retrieve.conf body content
> 
>   Buffer overflows in handlers for the following parameters:
> 
>     1) ID parameter of REGION tag
>       ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT 
>       can be arbitrary long. 
> 
>     2) REGION parameter of TEXT tag
>       REGION="CONTENT" CONTENT is copied into stack-based variable, 
>       CONTENT can be arbitrary long.
> 
>   Both overflows allow one to overwrite the return address on the 
>   stack. Both are exploitable and we were able to create a 
>   proof-of-concept exploit. The exploit is triggered by viewing the 
>   malicious MMS message (this is different from other exploits that 
>   require substantial user interaction -- e.g., to install a program).
> 
>   Overflow happens after 300 bytes in version 1.5.5.6 and after 400 
>   bytes in version 2.0.0.13.
> 
>   Categorization: CRITICAL (REMOTE CODE EXECUTION)
> 
>   Exploit: Proof-of-Concept available (code execution)
>       
> -----------------------------
>  
> Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
> here:
> 
>  http://www.mulliner.org/pocketpc/
> 
> 
--
Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collin@xxxxxxxxxxxxxxx
Forget object orientation!

References:
- PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service
  - From: Collin R. Mulliner

Prev by Date: Spooky Login Multiple HTML Injection Vulnerability
Next by Date: Rediff Bol Downloader Allows Downloading and Spawning Arbitary Files
Previous by thread: PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service
Next by thread: [ GLSA 200608-15 ] MIT Kerberos 5: Multiple local privilege escalation (test Falco for security@)
Index(es):
- Date
- Thread