To: bugtraq@securityfocus.com Date: Thu, 10 Aug 2006 11:28:18 -0700 Vulnerability Report ----------------------------- Vendor: Microsoft and ArcSoft Product: PocketPC OS and MMS Composer Version(s): MMS Composer: 1.5.5.6, 2.0.0.13 (possible others) Platform: PocketPC (tested on: WinCE 4.2 and WinCE 4.21, possible others) Architecture: ARM Device(s): HP iPAQ h6315, i-mate PDA2k (OEM: HTC BlueAngle) (possible others) Application: MMS User Agent (Inbox application) Application binary: tmail.exe ----------------------------- Reporter(s): Collin Mulliner (technical contact) Prof. Giovanni Vigna Affiliation: Reliable Software Group, University of California Santa Barbara ----------------------------- Executive Summary: Multiple buffer overflows in MMS parsing code, allow denial-of-service and REMOTE CODE INJECTION/EXECUTION via MMS. ----------------------------- Disclosure Time Line: July 12. 2006 : Vulnerability Report to ArcSoft and Microsoft July 19. 2006 : Reply by ArcSoft and Microsoft Aug. 02. 2006 : Vendor Provides Bug Fix to OEMs Aug. 04. 2006 : Public Disclosure at DEFCON-14 ----------------------------- BugFix: BugFix is awaiting approval by OEMs ----------------------------- Brief Technical Details: 1.0) UDP port 2948 open on all interfaces Devices accept WAPPush via UDP port 2948 on the wireless LAN (Wi-Fi) interface. This is unnecessary and can be used for Denial-of-Service attacks. ----------------------------- 2.0) Multiple buffer overflows in MMS message parser MMS Message parts: 2.1) M-Notification.ind 2.2) M-Retrieve.conf (Header) 2.3) M-Retrieve.conf (Body) 2.4) SMIL parser (Message display function) ----------------------------- 2.1) Parser for M-Notification.ind Buffer overflows in handlers for the following header fields: 1) TransactionID 2) Subject 3) ContentLocation Application crashes. Non-critical. Denial-of-Service attack possible. Exploitable via UDP port 2948. Categorization: MEDIUM (denial-of-service via wireless LAN) Exploit: Proof-of-Concept available (DoS) ----------------------------- 2.2) Parser for M-Retrieve.conf (Header) Buffer overflows in handlers for the following header fields: 1) Subject 2) Content-Type (can overwrite return address on stack) 3) start-info parameter of content-type Application crashes. Categorization: LOW (exploitation requires control of MMS infrastructure) ----------------------------- 2.3) Parser for M-Retrieve.conf (Body) Buffer overflows in handlers for the following body fields: Multi-Part Entry header: 1) Content-Type 2) Content-ID 3) ContentLocation In all cases it is possible to overwrite the return address. Categorization: LOW (exploitation requires control of MMS infrastructure) ----------------------------- 2.4) Parser for SMIL (Message display function) Transported in: M-Retrieve.conf body content Buffer overflows in handlers for the following parameters: 1) ID parameter of REGION tag ID="CONTENT" CONTENT is copied into stack-based variable, CONTENT can be arbitrary long. 2) REGION parameter of TEXT tag REGION="CONTENT" CONTENT is copied into stack-based variable, CONTENT can be arbitrary long. Both overflows allow one to overwrite the return address on the stack. Both are exploitable and we were able to create a proof-of-concept exploit. The exploit is triggered by viewing the malicious MMS message (this is different from other exploits that require substantial user interaction -- e.g., to install a program). Overflow happens after 300 bytes in version 1.5.5.6 and after 400 bytes in version 2.0.0.13. Categorization: CRITICAL (REMOTE CODE EXECUTION) Exploit: Proof-of-Concept available (code execution) ----------------------------- Related DEFCON-14 slides and Proof-of-Concept DoS tool are available here: http://www.mulliner.org/pocketpc/