AOH :: HP Unsorted P :: B06-4152.HTM

PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service



PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service
PocketPC MMS - Remote Code Injection/Execution Vulnerability and Denial-of-Service



Vulnerability Report

-----------------------------

Vendor:       Microsoft and ArcSoft
Product:      PocketPC OS and MMS Composer
Version(s):   MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform:     PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
              others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible 
           others)

Application:        MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner  (technical contact) 
Prof. Giovanni Vigna  

Affiliation:  Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
 Multiple buffer overflows in MMS parsing code, allow 
 denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
 July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
 July 19. 2006 : Reply by ArcSoft and Microsoft
 Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
 Aug. 04. 2006 : Public Disclosure at DEFCON-14 

-----------------------------

BugFix:
 BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

 1.0) UDP port 2948 open on all interfaces

  Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
  interface. This is unnecessary and can be used for Denial-of-Service 
  attacks.

 -----------------------------

 2.0) Multiple buffer overflows in MMS message parser

  MMS Message parts:

   2.1) M-Notification.ind
   2.2) M-Retrieve.conf (Header)
   2.3) M-Retrieve.conf (Body)
   2.4) SMIL parser (Message display function)

 -----------------------------

 2.1) Parser for M-Notification.ind

  Buffer overflows in handlers for the following header fields:

   1) TransactionID
   2) Subject
   3) ContentLocation

  Application crashes. Non-critical. Denial-of-Service attack possible. 
  Exploitable via UDP port 2948.
	
  Categorization: MEDIUM (denial-of-service via wireless LAN)

  Exploit: Proof-of-Concept available (DoS)

 -----------------------------

 2.2) Parser for M-Retrieve.conf (Header)

  Buffer overflows in handlers for the following header fields:

   1) Subject
   2) Content-Type (can overwrite return address on stack)
   3) start-info parameter of content-type

  Application crashes.
	
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.3) Parser for M-Retrieve.conf (Body)

  Buffer overflows in handlers for the following body fields:

   Multi-Part Entry header:
    1) Content-Type
    2) Content-ID
    3) ContentLocation

  In all cases it is possible to overwrite the return address.
	
  Categorization: LOW (exploitation requires control of MMS 
                  infrastructure)

 -----------------------------

 2.4) Parser for SMIL (Message display function) 

  Transported in: M-Retrieve.conf body content

  Buffer overflows in handlers for the following parameters:

    1) ID parameter of REGION tag
      ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT 
      can be arbitrary long. 

    2) REGION parameter of TEXT tag
      REGION="CONTENT" CONTENT is copied into stack-based variable, 
      CONTENT can be arbitrary long.

  Both overflows allow one to overwrite the return address on the 
  stack. Both are exploitable and we were able to create a 
  proof-of-concept exploit. The exploit is triggered by viewing the 
  malicious MMS message (this is different from other exploits that 
  require substantial user interaction -- e.g., to install a program).

  Overflow happens after 300 bytes in version 1.5.5.6 and after 400 
  bytes in version 2.0.0.13.

  Categorization: CRITICAL (REMOTE CODE EXECUTION)

  Exploit: Proof-of-Concept available (code execution)
	
-----------------------------
 
Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

http://www.mulliner.org/pocketpc/ 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.