SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

PocketPC MMS - Remote Code Injection/Execution Vulnerability andDenial-of-Service


Arrow  SecurityAlert : 1387
Arrow  CVE : CVE-2006-4132
Arrow  CVE : CVE-2006-4131
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : Collin R. Mulliner (collin betaversion net)
Arrow  Published : 16.08.2006

Arrow  Affected Software : MMS User Agent



Arrow  Advisory Content :  

Vulnerability Report

-----------------------------

Vendor: Microsoft and ArcSoft
Product: PocketPC OS and MMS Composer
Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
others)
Architecture: ARM

Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
others)

Application: MMS User Agent (Inbox application)
Application binary: tmail.exe

-----------------------------

Reporter(s): Collin Mulliner <mulliner (at) cs.ucsb (dot) edu [email
concealed]> (technical contact)
Prof. Giovanni Vigna <vigna (at) cs.ucsb (dot) edu [email
concealed]>

Affiliation: Reliable Software Group, University of California Santa
Barbara

-----------------------------

Executive Summary:
Multiple buffer overflows in MMS parsing code, allow
denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.

-----------------------------

Disclosure Time Line:
July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
July 19. 2006 : Reply by ArcSoft and Microsoft
Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
Aug. 04. 2006 : Public Disclosure at DEFCON-14

-----------------------------

BugFix:
BugFix is awaiting approval by OEMs

-----------------------------

Brief Technical Details:

1.0) UDP port 2948 open on all interfaces

Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
interface. This is unnecessary and can be used for Denial-of-Service
attacks.

-----------------------------

2.0) Multiple buffer overflows in MMS message parser

MMS Message parts:

2.1) M-Notification.ind
2.2) M-Retrieve.conf (Header)
2.3) M-Retrieve.conf (Body)
2.4) SMIL parser (Message display function)

-----------------------------

2.1) Parser for M-Notification.ind

Buffer overflows in handlers for the following header fields:

1) TransactionID
2) Subject
3) ContentLocation

Application crashes. Non-critical. Denial-of-Service attack possible.
Exploitable via UDP port 2948.

Categorization: MEDIUM (denial-of-service via wireless LAN)

Exploit: Proof-of-Concept available (DoS)

-----------------------------

2.2) Parser for M-Retrieve.conf (Header)

Buffer overflows in handlers for the following header fields:

1) Subject
2) Content-Type (can overwrite return address on stack)
3) start-info parameter of content-type

Application crashes.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.3) Parser for M-Retrieve.conf (Body)

Buffer overflows in handlers for the following body fields:

Multi-Part Entry header:
1) Content-Type
2) Content-ID
3) ContentLocation

In all cases it is possible to overwrite the return address.

Categorization: LOW (exploitation requires control of MMS
infrastructure)

-----------------------------

2.4) Parser for SMIL (Message display function)

Transported in: M-Retrieve.conf body content

Buffer overflows in handlers for the following parameters:

1) ID parameter of REGION tag
ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
can be arbitrary long.

2) REGION parameter of TEXT tag
REGION="CONTENT" CONTENT is copied into stack-based variable,
CONTENT can be arbitrary long.

Both overflows allow one to overwrite the return address on the
stack. Both are exploitable and we were able to create a
proof-of-concept exploit. The exploit is triggered by viewing the
malicious MMS message (this is different from other exploits that
require substantial user interaction -- e.g., to install a program).

Overflow happens after 300 bytes in version 1.5.5.6 and after 400
bytes in version 2.0.0.13.

Categorization: CRITICAL (REMOTE CODE EXECUTION)

Exploit: Proof-of-Concept available (code execution)

-----------------------------

Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:

http://www.mulliner.org/pocketpc/




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.