exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pocketpc.txt

pocketpc.txt
Posted Aug 27, 2006
Authored by Collin Mulliner, Prof. Giovanni Vigna

MMS composer versions 1.5.5.6 and 2.0.0.13 suffer from multiple buffer overflows in the MMS parsing code allowing for arbitrary code execution and denial of service conditions.

tags | advisory, denial of service, overflow, arbitrary, code execution
SHA-256 | 85797acd23078e7a0402ffbedbb3a17a3a05d8df947fd121802d1fb83dc94927

pocketpc.txt

Change Mirror Download
Vulnerability Report

-----------------------------

Vendor: Microsoft and ArcSoft
Product: PocketPC OS and MMS Composer
Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
others)

Application: MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner@cs.ucsb.edu> (technical contact)
Prof. Giovanni Vigna <vigna@cs.ucsb.edu>

Affiliation: Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
Multiple buffer overflows in MMS parsing code, allow
denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
July 19. 2006 : Reply by ArcSoft and Microsoft
Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
Aug. 04. 2006 : Public Disclosure at DEFCON-14

-----------------------------

BugFix:
BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

1.0) UDP port 2948 open on all interfaces

Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
interface. This is unnecessary and can be used for Denial-of-Service
attacks.

-----------------------------

2.0) Multiple buffer overflows in MMS message parser

MMS Message parts:

2.1) M-Notification.ind
2.2) M-Retrieve.conf (Header)
2.3) M-Retrieve.conf (Body)
2.4) SMIL parser (Message display function)

-----------------------------

2.1) Parser for M-Notification.ind

Buffer overflows in handlers for the following header fields:

1) TransactionID
2) Subject
3) ContentLocation

Application crashes. Non-critical. Denial-of-Service attack possible.
Exploitable via UDP port 2948.

Categorization: MEDIUM (denial-of-service via wireless LAN)

Exploit: Proof-of-Concept available (DoS)

-----------------------------

2.2) Parser for M-Retrieve.conf (Header)

Buffer overflows in handlers for the following header fields:

1) Subject
2) Content-Type (can overwrite return address on stack)
3) start-info parameter of content-type

Application crashes.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.3) Parser for M-Retrieve.conf (Body)

Buffer overflows in handlers for the following body fields:

Multi-Part Entry header:
1) Content-Type
2) Content-ID
3) ContentLocation

In all cases it is possible to overwrite the return address.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.4) Parser for SMIL (Message display function)

Transported in: M-Retrieve.conf body content

Buffer overflows in handlers for the following parameters:

1) ID parameter of REGION tag
ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
can be arbitrary long.

2) REGION parameter of TEXT tag
REGION="CONTENT" CONTENT is copied into stack-based variable,
CONTENT can be arbitrary long.

Both overflows allow one to overwrite the return address on the
stack. Both are exploitable and we were able to create a
proof-of-concept exploit. The exploit is triggered by viewing the
malicious MMS message (this is different from other exploits that
require substantial user interaction -- e.g., to install a program).

Overflow happens after 300 bytes in version 1.5.5.6 and after 400
bytes in version 2.0.0.13.

Categorization: CRITICAL (REMOTE CODE EXECUTION)

Exploit: Proof-of-Concept available (code execution)

-----------------------------

Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

http://www.mulliner.org/pocketpc/


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close