Twenty Year Anniversary

Windows Mobile 6.1 / 6.5 Denial Of Service

Windows Mobile 6.1 / 6.5 Denial Of Service
Posted Oct 22, 2010
Authored by Celil Unuver

Windows Mobile versions 6.1 and 6.5 suffer from a double free denial of service.

tags | exploit, denial of service
systems | windows
MD5 | 8d3e8f20bb50ef934646c26e88310766

Windows Mobile 6.1 / 6.5 Denial Of Service

Change Mirror Download
Vendor: Microsoft
Product: Windows Mobile (6.1 and 6.5)
Vulnerability: Double Free Denial of Service
Tested vulnerable versions: Windows Mobile 6.1 and 6.5
Tested on : HTC Touch (WM 6.1), HTC Touch2 (WM 6.5)
CREDITS: Celil Ünüver from SecurityArchitect.Org
CONTACT: celilunuver[n0sp4m]gmail.com

Vulnerability Details and Analysis:

The vulnerability is a double free. It occurs when multiple buffers are allocated to handle a very large Name (N) field in the vCard (.vcf) file. This file can be received by MMS or Bluetooth.
After opening the malformed vcf file, it gives an error dialog. Then it frees the buffers and crashes;

pimutil.dll:

.text:02B73DE0 sub_2B73DE0 ; CODE XREF: sub_2B74388+1Cp
.text:02B73DE0 STMFD SP!, {R4,LR}
.text:02B73DE4 MOV R4, R0
.text:02B73DE8 LDR R2, [R4,#0xC]
.text:02B73DEC LDR R3, =off_2B66DB8
.text:02B73DF0 CMP R2, #0
.text:02B73DF4 LDRNE R0, [R4,#8]
.text:02B73DF8 STR R3, [R4]
.text:02B73DFC BLNE sub_2BA6350
.text:02B73E00 LDR R0, [R4,#8]
.text:02B73E04 BL sub_2BA56F8 ; sysfreestrng()
.text:02B73E08 LDR R0, [R4,#0x14] *!*
.text:02B73E0C BL sub_2BA56F8 ; sysfreestring
.text:02B73E10 LDR R0, [R4,#0x14] *!!!!
DOUBLE FREE!!!**
.text:02B73E14 BL sub_2BA56F8 ; sysfreestring
.text:02B73E18 LDR R0, [R4,#8]
.text:02B73E1C BL sub_2BA56F8
.text:02B73E20 LDR R3, =(dword_2B66D30+8)
.text:02B73E24 STR R3, [R4]
.text:02B73E28 LDMFD SP!, {R4,LR}
.text:02B73E2C BX LR

*As you see that the pointer at [R4 + 0x14] is passed to SysFreeString() twice.

text:0271E4C0 SysFreeString ; CODE XREF: sub_271AE68+1Cp
.text:0271E4C0 ; sub_271AE68+24p ...
.text:0271E4C0 STMFD SP!, {R4,LR}
.text:0271E4C4 CMP R0, #0
.text:0271E4C8 BEQ loc_271E508
.text:0271E4CC LDR R3, =0x1ECD1B8
.text:0271E4D0 SUB R4, R0, #8
.text:0271E4D4 LDR R0, [R3]
.text:0271E4D8 BL sub_27391B8
.text:0271E4DC CMP R0, #0
.text:0271E4E0 BNE loc_271E4F4
.text:0271E4E4 MOV R0, R4
.text:0271E4E8 BL sub_2739168
.text:0271E4EC LDMFD SP!, {R4,LR}
.text:0271E4F0 BX LR
.text:0271E4F4 ; ---------------------------------------------------------------------------
.text:0271E4F4
.text:0271E4F4 loc_271E4F4 ; CODE XREF: SysFreeString+20j
.text:0271E4F4 LDR R3, [R4] ----->CRASH !!
.text:0271E4F8 MOV R1, R4
.text:0271E4FC ADD R3, R3, #0x19
.text:0271E500 BIC R2, R3, #0xF
.text:0271E504 BL sub_27295BC
.text:0271E508

*The code at location 0271E4F4 is attempting to extract the 'size' from the heap chunk header.

Exploiting:

Double Frees are usually exploitable but in this case it doesnt look simple. The calls to free() occurs in immediate succession. WinCE supports multi-threading, but this is an extremely hard case to try.. I do not have deep knowledge about WinCE heap structures. So it may be denial of service but I think it can be possible to exploit this vulnerability. (impossible is nothing ! :P)


Proof of Concept:

http://www.exploit-db.com/application/15297

Vendor-Patch Status:

It's 0day :]

Actually I contacted Microsoft but they said ;
"we fixed this issue on WM 6.5 version and we can not publish a bulletin for it" But i m sure that it is not fixed on 6.5 version. I've tested it on several devices which have WM 6.5. Also I've tested it on WM 6.5 Professional Emulator (which can be downloaded from MS Pages) , it crashes too....


Last Words:
We are not dead , just busy !

Greets to: SecurityArchitect Members (Ulascan) , Hellcode, murderkey ...

Links:
www.securityarchitect.org
blog . securityarchitect . org

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    9 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    34 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close