exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MMS Notification Obfuscation

MMS Notification Obfuscation
Posted Sep 11, 2009
Authored by c0rnholio

Multiple smartphones suffer from a MMS notification sender obfuscation vulnerability.

tags | exploit
SHA-256 | 9b72cd06b397840847cce9cb396cdf66d2cc9ed0580d3fa3d798c5dddd61ea23

MMS Notification Obfuscation

Change Mirror Download
Security Advisory: Multiple Smartphones MMS Notification Sender Obfuscation
---------------------------------------------------------------------------

Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Advisory Homepage: http://www.silentservices.de/adv04-2009.html
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009

Description:
------------
A MMS Notification is part of the MMS communication flow. Usually an
originator sends and mms via a service provider (SP). After uploading the
message to the SP, the recipient gets a MMS notification from the SP with
information like originator, subject and URL of the content. In some mobile
carrier networks it is allowed to send MMS notifications directly from one
mobile unit to another.

Some Smartphones fail to properly display the originator of this kind of
message which leads to a sender obfuscation.

Impact:
-------
This attack can be used in combination with social engineering to mislead
the recipient to access the resource specified in the content URL of the MMS
notification message. If the receiving device MMS client is configured
improperly this could lead to automatically download whatever content is
specified in the content URL. MMS clients which do not allow access to
content URLs other that the providers MMS proxy should be safe from the
content, but are still vulnerable to the sender obfuscation.

In addition this attack can be used to send spam and hate SMS.


Tested Devices:
---------------
The following devices have been tested and found vulnerable for this kind of
attack:
It is very likely that other devices and vendors are also vulnerable to this
attack.

- Blackberry (Tested on BB 8800, Firmware: 4.5.0.37)
The BlackBerry fails device fails to properly display the originating number
and displays whatever information is defined in the originator and the
subject field of the MMS notification.

- Windows Mobile (Tested on WM5, WM6, WM6.1, WM6.5)
A Windows Mobile driven device fails to properly display the originating
number and displays whatever information is defined in the originator and
the subject field of the MMS notification.

- Sony Ericsson W890i, W810i
The Sony Ericsson W890i and W810i device fails to properly display the
correct originating number and displays whatever information is defined in
the originator and the subject field of the MMS notification.


PoC:
----
The following PDU can be sent to an affected device:

UDH: 05 04 0b 84 23 f0
Message:
7c 06 03 be af 84 8c 82 98 31 32 33 34 00 8d 90 89 0e 80 45 76 69 6c 20 48
34 78 30 72 00 96 67 6f 74 20 72 30 30 74 3f 00 8a 80 8e 01 56 88 05 81 03
09 3a 80 83 63 68 65 63 6b 20 79 6f 75 72 20 6d 6d 73 20 63 6c 69 65 6e 74

The above PDU will display as follows (example on Windows Mobile target):

Sender: Evil H4x0r
Subject: got r00t?

Use pduspy to send it. In addition HushSMS Version 1.0 will be available
soon for Windows Mobile devices for further tests.





Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close