Vulnerability Report
-----------------------------
Vendor: Microsoft and ArcSoft
Product: PocketPC OS and MMS Composer
Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others)
Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible
others)
Architecture: ARM
Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible
others)
Application: MMS User Agent (Inbox application)
Application binary: tmail.exe
-----------------------------
Reporter(s): Collin Mulliner (technical contact)
Prof. Giovanni Vigna
Affiliation: Reliable Software Group, University of California Santa
Barbara
-----------------------------
Executive Summary:
Multiple buffer overflows in MMS parsing code, allow
denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS.
-----------------------------
Disclosure Time Line:
July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft
July 19. 2006 : Reply by ArcSoft and Microsoft
Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs
Aug. 04. 2006 : Public Disclosure at DEFCON-14
-----------------------------
BugFix:
BugFix is awaiting approval by OEMs
-----------------------------
Brief Technical Details:
1.0) UDP port 2948 open on all interfaces
Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi)
interface. This is unnecessary and can be used for Denial-of-Service
attacks.
-----------------------------
2.0) Multiple buffer overflows in MMS message parser
MMS Message parts:
2.1) M-Notification.ind
2.2) M-Retrieve.conf (Header)
2.3) M-Retrieve.conf (Body)
2.4) SMIL parser (Message display function)
-----------------------------
2.1) Parser for M-Notification.ind
Buffer overflows in handlers for the following header fields:
1) TransactionID
2) Subject
3) ContentLocation
Application crashes. Non-critical. Denial-of-Service attack possible.
Exploitable via UDP port 2948.
Categorization: MEDIUM (denial-of-service via wireless LAN)
Exploit: Proof-of-Concept available (DoS)
-----------------------------
2.2) Parser for M-Retrieve.conf (Header)
Buffer overflows in handlers for the following header fields:
1) Subject
2) Content-Type (can overwrite return address on stack)
3) start-info parameter of content-type
Application crashes.
Categorization: LOW (exploitation requires control of MMS
infrastructure)
-----------------------------
2.3) Parser for M-Retrieve.conf (Body)
Buffer overflows in handlers for the following body fields:
Multi-Part Entry header:
1) Content-Type
2) Content-ID
3) ContentLocation
In all cases it is possible to overwrite the return address.
Categorization: LOW (exploitation requires control of MMS
infrastructure)
-----------------------------
2.4) Parser for SMIL (Message display function)
Transported in: M-Retrieve.conf body content
Buffer overflows in handlers for the following parameters:
1) ID parameter of REGION tag
ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT
can be arbitrary long.
2) REGION parameter of TEXT tag
REGION="CONTENT" CONTENT is copied into stack-based variable,
CONTENT can be arbitrary long.
Both overflows allow one to overwrite the return address on the
stack. Both are exploitable and we were able to create a
proof-of-concept exploit. The exploit is triggered by viewing the
malicious MMS message (this is different from other exploits that
require substantial user interaction -- e.g., to install a program).
Overflow happens after 300 bytes in version 1.5.5.6 and after 400
bytes in version 2.0.0.13.
Categorization: CRITICAL (REMOTE CODE EXECUTION)
Exploit: Proof-of-Concept available (code execution)
-----------------------------
Related DEFCON-14 slides and Proof-of-Concept DoS tool are available
here:
http://www.mulliner.org/pocketpc/