Remote Code Execution on Windows Mobile - '0wnd by an MMS' |
  |
|
 Aug 9 2006, 16:41
Post
#1
|
||
 The Main Man  Group: Admin Team Posts: 20,495 Joined: 6th November 2002 From: Norwich, UK Member No.: 1 Device(s): HTC Advantage  |
[teaser]Think that mobile phone viruses are going to be limited to the Symbian world, and that you are safe using a Windows Mobile device?
Well, that's not the case, according to this article over at Symantec. QUOTE(Symantec) ...at DefCon this past weekend, Collin Mulliner demonstrated a remote code execution flaw via MMS on Windows CE. [/teaser]Collin's slides show how he used a malformed MMS message to achieve arbitrary code execution on a device, simply by having a user view the message. This is obviously of great concern; Windows Mobile devices are becoming more and more prevalent and the substantial challenges with patching continue to exist. At the end of 2005, the Symantec Advanced Threat Research team performed a detailed attack surface analysis of Windows CE 5. We took a very broad and a very deep look as to how attacks could target Windows CE (and thus Windows Mobile) devices both from a remote perspective, as well as a local privilege escalation perspective (CE 5 includes the concept of trusted versus un-trusted applications). This research included documenting all of the remote attack vectors that could potentially exist. During the course of the research, as you would expect, we found a number of remote code execution flaws that could be leveraged in a malicious fashion. While we won't be disclosing the specific flaws just yet, what we will discuss is the overall security architecture of CE5, the types of vulnerabilities we discovered, how these impact mobile devices, and what, if anything, people can do to protect themselves.... Concerning words indeed, and I thoroughtly recommend checking out Collin Mulliner's PDF slide deck here if you want to learn more about this particular vulnerability, or to read Collin's research into Windows Mobile Phone devices' attack surface in general. Remember people, don't have nightmares  P (via msmobiles)   -------------------- Paul O'Brien - Microsoft MVP, Mobile Devices, MoDaCo.network Founder. Check out my Blog! £10 off a £20 spend at eXpansys - click for details |
||
 |
 
|
||
|
Aug 9 2006, 21:18
Post
#2
|
||
|
Newbie  Group: Posters Posts: 13 Joined: 27th March 2006 Member No.: 179,919 Device(s): T-Mobile SDA |
I was at this talk in Vegas this past weekend.. great talk..
|
||
|
|
|
||
|
Aug 10 2006, 09:59
Post
#3
|
|||
|
Addict  Group: MoDaCo Plus Posts: 938 Joined: 19th January 2003 Member No.: 2,098 |
serious amount of testing went into finding these exploits - very nice write up
|
||
|
|
|
||
|
Aug 11 2006, 13:58
Post
#4
|
||
|
Addict Group: Posters Posts: 650 Joined: 11th July 2004 Member No.: 49,096 Device(s): QtekS100, E650, Touch Dual |
scanning thru the PDF, it would appear to me that the onus is in the networks to resolve this.
Without the speaker, the notes are only giving half the story but i could pick up that the sanitizing of the messages is achieved at the infrastructure level, not the device. The device seems unable to differentiate between a good and bad message... With this in mind, would an anti-virus package in the conventional context actually offer any protection? I dont think it would... considering the actual number if MMS's sent to Windows Mobile units -and as the PDF states, this is all based in the previous OS kernal, not WM5 - is it a real worry? i think i shall still run the gauntlet and stay unprotected... interesting/comforting to know that there is a real effort in this area though. Both in the 'attacking' and 'defence from' areas. |
||
|
|
|
||
|
Aug 11 2006, 14:06
Post
#5
|
||
|
Diehard  Group: Posters Posts: 384 Joined: 31st March 2005 From: Surrey, UK Member No.: 120,987 Device(s): MDA Vario III + MDA Vario |
QUOTE(Samsonite @ Aug 11 2006, 14:58)  scanning thru the PDF, it would appear to me that the onus is in the networks to resolve this. I thought I read that MS and the MMS software company had provided a fix, but it was up to the networks to provide new ROMs for the devices... which on a Windows Mobile 2003 device is unlikely now. There was no mention whether the bug was also in WM5. Seeing as the MMS is still a separate app I believe, it's possible. If so, lets hope they (and then the networks) release an update. |
||
|
|
|
||
|
Aug 13 2006, 11:15
Post
#6
|
|||
|
Newbie Group: Posters Posts: 7 Joined: 8th October 2004 Member No.: 59,711 |
Symantec is not a real frontline player in the mobile AV market. I'd rather believe F-Secure, when it comes to Mobile AV, as they have developped much earlier AND own AV software for both PDA's and smartphones.
|
||
|
|
|
||
|
Aug 13 2006, 14:59
Post
#7
|
||
 Regular  Group: Posters Posts: 90 Joined: 16th February 2006 Member No.: 172,939 Device(s): orange spv m2000, se k800i |
hello all,
so when last year i forked out £50+ for airscanner's 'mobile security suite' and people laughed at me saying i wasted my money and that the software would never be needed, does this mean i'm covered for such nastiness and that its now my turn to laugh ? pooks ps. or does this mean that once again i need to wipe the egg off my face ? |
||
|
|
|
||
|
Aug 13 2006, 16:29
Post
#8
|
||
|
Addict Group: Posters Posts: 650 Joined: 11th July 2004 Member No.: 49,096 Device(s): QtekS100, E650, Touch Dual |
QUOTE(pookiecheeks @ Aug 13 2006, 15:59) hello all, so when last year i forked out £50+ for airscanner's 'mobile security suite' and people laughed at me saying i wasted my money and that the software would never be needed, does this mean i'm covered for such nastiness and that its now my turn to laugh ? pooks ps. or does this mean that once again i need to wipe the egg off my face ? depends if your protection can prevent 1000 MMS's being delivered to your phone.... |
||
|
|
|
||
|
Aug 30 2006, 12:46
Post
#9
|
||
|
Hardcore Group: Posters Posts: 1,810 Joined: 17th February 2003 From: Scotland Member No.: 2,867 Device(s): M2000 |
QUOTE(Samsonite @ Aug 11 2006, 14:58) With this in mind, would an anti-virus package in the conventional context actually offer any protection? I dont think it would... It would not help at all. A remote exploit is not a virus, it's simply a way of executing code. Now, the code the attacker may execute might install a virus. If the virus scanner was familiar with that virus (or how it hooks into the OS boot proceedure), then it might be able to detect it. Maybe. However, there aren't any viruses for the windows mobiles platform yet, so there is nothing to look for. It's nice to see Symantec working hard to change that...ought to be good for their sales.  Here's what the code probably looks like in all the existing scanners. Remember, there's nothing for them to look for at the moment. CODE while(true) { doNothing(); sleepAWhile(); } Firewalls on the other hand are a different matter, but the last time I scanned my phone nothing showed up. No running services = no exploits. Microsoft learned that one the hard way years ago. |
||
|
|
|
||
|
Similar Topics
| Topic | Replies | Topic Starter | Views | Last Action | |
|---|---|---|---|---|---|
 |
 Paul's complete guide to installing OSX Leopard on your MSI Wind / Advent 4211Video uploading now... |
546 | Paul (MVP) | 205,503 | Today, 18:23 Last post by: elalitte |
|
Pinned: ROM download links, naming scheme + 'Incorrect Software Version' fix |
171 | Paul (MVP) | 76,759 | Today, 18:01 Last post by: PhilipE |
|
Pinned: Paul's must have FREE i900 Omnia software |
62 | Paul (MVP) | 30,187 | Today, 18:18 Last post by: GTDave |
 |
T-Mobile MDA Vario IV release date? | 12 | vii_voo | 1,004 | Today, 16:33 Last post by: acre |
|
How to browse Files on your PC using wifi | 18 | BazzaE | 610 | Today, 18:20 Last post by: L.P |
|
Complete install guide for Manila (TouchFlo 2D) on i900 HTC Standard Skin - All files incl |
67 | robf80 | 4,912 | Today, 18:02 Last post by: sector |
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
 |
Lo-Fi Version | Time is now: 11th October 2008 - 19:20 |
Please visit our 'Plus Partners' - these companies support MoDaCo through 'MoDaCo Plus' - Click Here for more details!
VITO Technology | Slipstream Solutions | Aiko Solutions | PDAMill | Inesoft | SBSH | LingvoSoft | Ruttensoft | Astraware | MadBeetle | Sprite Software
Opera | Westtek | TetraEdge | Z4Soft | KBM Systems | Conduits | Mini Lyrics Magic | Proporta | Semsons | SyncData | Active Kitten | Binaryfish | Textr
SPB Software House | Omega One | OmniSoft | Resco | eSoft Interactive | TenGo | ATEKsoft | imei-check | GpsGate | SplashData | DeveloperOne | monocube
WebIS, home of Pocket Informant, FlexMail and Note2Self
Would your company like to become a 'Plus Partner'? Click Here to contact us!
MoDaCo and Mobiholics are part of the MoDaCo.network, © Paul O'Brien 2002-2007. MoDaCo is managed by Upsolv, LLC.
Our Friends - CoolSmartphone - Smartphone Thoughts - MSMobileNews - MSMobiles - DSL Developments - Brodit Specialists - PDAhut. MoDaCo uses IntelliTxt technology.
Our Friends - CoolSmartphone - Smartphone Thoughts - MSMobileNews - MSMobiles - DSL Developments - Brodit Specialists - PDAhut. MoDaCo uses IntelliTxt technology.