Vulnerability Report

-----------------------------

Vendor:       Microsoft and ArcSoft
Product:      PocketPC OS and MMS Composer
Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
              others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible 
           others)

Application:        MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner@cs.ucsb.edu> (technical contact)
             Prof. Giovanni Vigna <vigna@cs.ucsb.edu>

Affiliation:  Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
 Multiple buffer overflows in MMS parsing code, allow 
 denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
 July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
 July 19. 2006 : Reply by ArcSoft and Microsoft
 Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
 Aug. 04. 2006 : Public Disclosure at DEFCON-14 

-----------------------------

BugFix:
 BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

 1.0) UDP port 2948 open on all interfaces

  Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
  interface. This is unnecessary and can be used for Denial-of-Service 
  attacks.

 -----------------------------

 2.0) Multiple buffer overflows in MMS message parser

  MMS Message parts:

   2.1) M-Notification.ind
   2.2) M-Retrieve.conf (Header)
   2.3) M-Retrieve.conf (Body)
   2.4) SMIL parser (Message display function)

 -----------------------------

 2.1) Parser for M-Notification.ind

  Buffer overflows in handlers for the following header fields:

   1) TransactionID
   2) Subject
   3) ContentLocation

  Application crashes. Non-critical. Denial-of-Service attack possible. 
  Exploitable via UDP port 2948.
  
  Categorization: MEDIUM (denial-of-service via wireless LAN)

  Exploit: Proof-of-Concept available (DoS)

 -----------------------------

 2.2) Parser for M-Retrieve.conf (Header)

  Buffer overflows in handlers for the following header fields:

   1) Subject
   2) Content-Type (can overwrite return address on stack)
   3) start-info parameter of content-type

  Application crashes.
  
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.3) Parser for M-Retrieve.conf (Body)

  Buffer overflows in handlers for the following body fields:

   Multi-Part Entry header:
    1) Content-Type
    2) Content-ID
    3) ContentLocation

  In all cases it is possible to overwrite the return address.
  
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.4) Parser for SMIL (Message display function) 

  Transported in: M-Retrieve.conf body content

  Buffer overflows in handlers for the following parameters:

    1) ID parameter of REGION tag
      ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT 
      can be arbitrary long. 

    2) REGION parameter of TEXT tag
      REGION="CONTENT" CONTENT is copied into stack-based variable, 
      CONTENT can be arbitrary long.

  Both overflows allow one to overwrite the return address on the 
  stack. Both are exploitable and we were able to create a 
  proof-of-concept exploit. The exploit is triggered by viewing the 
  malicious MMS message (this is different from other exploits that 
  require substantial user interaction -- e.g., to install a program).

  Overflow happens after 300 bytes in version 1.5.5.6 and after 400 
  bytes in version 2.0.0.13.

  Categorization: CRITICAL (REMOTE CODE EXECUTION)

  Exploit: Proof-of-Concept available (code execution)
  
-----------------------------
 
Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

 http://www.mulliner.org/pocketpc/