 So I'm My name is Colin Mulliner. I'm I'm a student of the Reliable software group at UC Santa Barbara and I'm doing some security research on Bluetooth and other stuff and Today I'm going to talk about advanced attacks against pocket PC phones But actually that's only half of the truth Since we're actually going to talk about MMS based attacks against pocket PC phones So Basically, yeah, so so we're going to talk about So we're going to talk about attacking and exploiting pocket PC based smartphones about vulnerability analysis of smartphones and Applying fuzzing to smartphones And this particular case we are looking at the MMS at MMS the multimedia messaging service And of course we are going to looking at the client side as a user agent side So basically we're Going to look how to analyze and then how to attack the pocket PC MMS user agent So first a small overview about mobile phones State of the art attacks a little bit of about pocket PC the multimedia messaging service then vulnerability testing of the MMS of the multimedia messaging service and then some Nice exploits and how to own MMS User agents and some conclusions, of course So right now the the basic Attacks against mobile phones are either Bluetooth based attacks Where you just like take control over the phone using some logic errors Where you can like steal phone box or user to do denial of service attacks Or you attack third-party applications do some code injection some business some denial of service Or If you go to SMS MMS, we have these MMS worms for Zimbian, which don't really utilize Real vulnerabilities, it's more like yeah, let's see if the user is actually dumb enough to run this Trojan and Some common examples are the convoy or the mob your worms and then we have the SMS space attacks some format string exploits which basically can only be used to crash the device or The Siemens thing some special characters if you send an SMS with a special Character the phone just free this very very stupid not very advanced. So We're going to do advanced attacks So pocket PC was Exploited about like three years ago there There was a first talk about Defcon. I think 11 Or true, I don't know. Yeah, so the basic things are okay We can attack some third-party applications preferably FTP servers or we can do Some attacks against the Bluetooth stack There's actually a nice not really public exploit because the Yeah, Microsoft said are we not going to fix it the next version is getting out So Tim Herman of our group. He wrote this really nice exploit Then we have some other Bluetooth Obex based attacks Nothing, it's cool, but not not at that great and then we have some deny service if I could active sync or Some local attacks which are kind of stupid against PDAs, but they're there So quick overview of what is pocket PC though pocket PC is actually just the windows see versions used for PDAs and smartphones Yeah, there are a bunch of architecture supported, but we are actually only interested in arm Also, we're not going to do any shell code or as things today Yeah, the current version is 5.0, but there are so many for two devices out there So we're going to look only at 4.2 So that's basically the fonts where the devices we're interested in just two examples Where we have like GSM wireless LAN Bluetooth infrared in one device Yeah, so these kind of phones are we going to attack Some quick overview about Windows see So we have this Windows see only has like one virtual address space for the whole for all applications or all processes We're just divided into this really stupid slot structure We have basically a 32 and process limit and Yeah, there's some kind of memory protection So, yeah, that's really stupid us But we are not going to to look at the real real details. We're actually only interested in MS So so it's the security model is also really cool There is actually it's a single user device and you can just lock your device So any pro in any process can access like everything which is really cool Then because once you're like execute code, you can just like oh, let's use Bluetooth Oh, why not use GSM and call some numbers? Yeah, we can just do anything So the reason why I'm not going to talk about shell code and stuff Is because it's pretty well covered by now So if anybody's like into writing their own exploits check out these talks and Use the stuff I present today to write some nice share code So there are some issues like on on Linux or Windows you have like a command shell So you actually just want to do one thing you just Connect or exploit a box and run a shell and then you have access but not on pocket PC So you actually have to write And the Everything you want to do in your shell code. So it's going to be a little bit ugly And then we have those stupid slot problem Where we actually have to like guess the return The read a specific part of the return address every time you That's kind of annoying. There are some workarounds. I'm gonna Show them later, but they are there well covered in the other talks So that's our actual thing. We are interested in the multimedia messaging service Many people I guess know it either at MMS or as picture messaging in the US Yeah, since I'm from Europe we just call it MMS It's basically just this multimedia message exchange system It's basically built like really audio video pictures text, of course But you can actually send anything. Yeah, just Just some data exchange like email So like like email messages are sent like enough for a storm forward minister You actually have a big infrastructure in the back And of course you have to pay per message which is kind of interesting if you would try to analyze a system like that because We don't actually want to spend money So the architecture even if it's like a phone thing, it's totally IP based So if you're like kind of skilled and all the IP stuff and HTTP web, maybe Yeah, you know to how to mess with MMS There the system is basically just like four components the MMS server relay a gateway The policy post proxy and the SMS service center So The interesting thing So when the message is going to send of course the client generates the message and then it's actually just First of up push to the WAP gateway which just translated to HTTP And it's all just upload some stupid file to some web server That's basically how MMS works the receiving side is a little bit more interesting because the device somehow needs to know There oh, there is a new message waiting for you So that's just gonna happen as a via SMS. So as soon as the new message is waiting for you on the server You just get an SMS And then you just go to the server and The same way just use web over the web gateway do HTTP and get the message So the measures is just like yeah email. So we have some headers some bodies the bodies in mind Really nice format Especially if it's binary encoded you can do a lot of nice and funny things with it by the way, if there are any questions just rave and Get a mic So they just try and do binary encoding of course to reduce message transfer the message size Which is kind of interesting later? So we have a bunch of messages there are message type Types there are not too interesting Besides the notification message So just for reference So what is so the what is the user agent? Of course, it's like the MMS client application. It sends and receives the stuff It handles of course SMS web push. I owe the old IP crap and of course it has to render Lots of formats as I am LW ML. It's like HTML for MMS And of course all the different audio video Image formats, it's really it has to do a lot of stuff So the pocket PC Agent they call it the the inbox application and Fun thing it handles everything every communication like SMS MMS pop 3 IMF and Yeah, and again for reference to the version so I was working with are these two So maybe somebody has like a device like that Maybe he wants or she wants to switch the device off because maybe I'm going to do a demo later The application Binary is called email access. So just if you want to look at your device, that's that's the application we're going to mess with so so now if you want to actually Analyze and see and attack the agent we first of course need to know okay What kind of inputs does this application have to handle? What are the possible attack vectors? And then we have to look at the infrastructure because all our methods We're sending to device are going through the interest infrastructure the infrastructure could just filter out sanitize parts of the message and Maybe filter out like bad stuff. We are going to be ascending So we're going to have to look at that and then Since we not want to pay for a message delivery While testing we're going to build our own infrastructure And use that for furthering, but yeah more on this later so Basically, there are two different messages which are sent to the device the notification This is a part that's sent over SMS which has the information about the new message And then we have the receive conf message This message is basically the thing the file you download from The web server with just a normal htp web And then we have on the receive conf of course we have like a header part and the body part and the body part is Really nice complex binary encoded mime multi part if you ever looked at a mime encoding and then just Think about how it would look like in binary. Yeah, it's fun so the infrastructure So every time we send a message the infrastructure or the MMS relay is going to look at the message to and Say, oh What's about that header? Oh, that's that's maybe incorrect. So you're not you're not accepting that for delivery so in order to actually Find the vulnerabilities or exploit them We need to know what kind of what parts of the message we can actually modify to a certain extent before it gets rejected So that's what we're going to do we So we I implemented a kind of other thing like testing procedure very just like modify fields and just record the the behavior of the of the MMS relay to see okay This is acceptable or not. So the message headers are basically sanitized heavily and It's mostly unusable, but the message body is more interesting anyway since there are many more possibilities there And then I think they don't touch it. So there So so So if you look closer at the MMS delivery on the phone itself We see that we get a Vap push which is You can do it over UDP, but they send basically the same message just encapsulated in an SMS It's sent from normally from port 9,300 to port 9 2948 These are SMS ports. So in SMS you can also have this port identifiers Then we have this nice thing on the device called a Push router the push router basically just gets all of our purchase and Forwards it to their application. So and if you have this VND Vap MMS match a thing and the MMS client is going to get it and So then the real fun thing is the message the URL where to receive the actual message that's just part of them of the of the Notification that's really just a URL string like here is the message get it from here and now The fun is a really bad bad fuck up of Microsoft The pocket PC device who have wireless LAN also accept the what push message from on the wireless interface So as soon as you fire up your wireless interface, I can send you a lot of nice What pushes so that's like The how the notification looks like so you see at the end the red part This is just the URL where the message is waiting for you And then you see the blue part of the what push just some information. You see some transaction and the subject It's all in there. So What you actually can do you can just build your Small what message generator and then just start sending what pushes over wireless to your device and your device will think Oh, there's an MMS waiting for me And your phone will try to dial up gpr s and it's the sound is also very very annoying And if you send hundreds of messages thousands of messages your phones will go going to be get very very slow And you can do stuff like a fill up the MMS inbox as a file system and You cannot do like select all and did just delete the junk message You have to go through and delete one message by one by one, which is a really really nice dust attack So, of course, we're gonna get present give publish a tool Also the tool is not yeah, I haven't put it on the website yet so the actually the trick is to for the flooding is to Make the phone believe each message of causes a new message and The thing is we just have to have a unique transaction ID and content location. So if you look at the slides later With the method as a notification print out. You can see what parts you have to modify in order to have a nice Small unique notification message so and yeah, if you That could happen to you today if I put the tool online No, that doesn't work, but because of some of the web since you have to go through the WAP gateway of the So of your phone service provider. He is there, of course blocking access or some of them block access to Servers which are not their MMS servers, but yeah, your phone will like try three times per message So it will try to dial up GPS try to try to do a connection Yeah So but yeah, that's just like the small side effect of small fun We had on the side while doing that because actually we're going to yeah the use the UDP stuff for something else So we want to find real exploitable bugs in the in the application and since yeah, we don't have the source or anything we Yeah, we're going to use fuzzing and fuzzing Problem most of you have heard of it. It's just you build like semi-valid input and send it to the device and see how it reacts So the problem of course with MMS is yeah each message will cost you about like 25 cent maybe So if you want to send like 5,000 message to do some testing you have to go pay a lot of money So we are going to just build us our own MMS infrastructure It's yeah, since we only have a Patch a web server. We have a web gateway So we can just get off the shelf stuff from the internet Set up an Apache web server the web gateway get the MMS message generator Which we also going to release the customer with our customized library, but it will take some time And we do the actual simulation of the MMS infrastructure by using the UDP part So Microsoft actually gave us a really nice debugging tool with this UDP part So because now we can hundred percent simulate the MMS delivery process You just have to change some settings and the MMS client and say okay Use this IP like our Apache web server and our web gateway to get messages. So we can generate some messages Put them on the web server Yeah, put them on the web server and send the notification so We basically were just after basic buffer overflow string length stuff just some basic testing and So you just hook up the debugger to that email excel generate some message dump into dump it into the web server directory and Send the message notification. So the phone will retrieve the message from the web server Either it does nothing and just looks it looks funny or maybe it doesn't show anything or maybe it's the T-mail exit will crash and you get some nice exception So this is a printout of the actual receive conference. It's not complete of course because it's kind of big So in the beginning we see like the phone numbers And then we have the nice multi-part headers in the middle There is a text file and then we have the SML file at the end. So it's just for your reference. So of course, yeah, the simulated infrastructure Really really helps because the ISP infrastructures are really undeterministic sometimes if the messages are not delivered promptly So that was the simulated infrastructure really helps to do deterministic testing Also, maybe we want to test the parts that are normally sanitized So we can with our infrastructure. We don't have this whole sanitization thing. We just generate files and Feed them to the phone and of course G-Pairs is kind of slow. Maybe if you have edge But still the whole the whole thing is kind of slow and with the infrastructure with our own infrastructure We can really speed up the process And of course, we don't have to pay it or whatever 25 cents a buck or However, how much the infrastructure the providers going to charges? So that's really nice and makes the whole testing really relaxed So you don't have to think about spending money for stupid messages So and then yeah The first box we found in the notification Indicate and the notification message and there are just like three stupid buffer overflows So if you just make the transaction ID like 264 bytes and the MMS client just like dies So and if you remember you can send this message over UDP so As soon as the the wireless is up. You just go out and send a nicely modified Notification message and you can crash TMAX Unfortunately all these overflows are not Exploidable for code injection you can just over at parts of the stack and the application just goes away So the bad thing is okay. See my oh, yeah, when I do when I want to like write as MMS I don't need to be on the wireless, but since the application is also handling emails So maybe you want to check your email and at that point we just fire and So anytime we wireless and their faces up you cannot read emails SMS MMS really nice one Then we have some other bugs in the M retrieve config. That's yeah, they're not so interesting So in the body This basically is the same box But for some stuff we cannot We cannot exploit it because we have the stupid sanitization So what we could do this is just what we could do we we actually haven't tried it and because many Mobile mobile phone service providers actually like run these stupid closed up gateways which don't allow us to connect to our own Rockwrap's MMS server, but if you find an ISP which doesn't block access to other IPs You can just run your own MMS server on their network or on just on the internet and Send a nice SMS which points to your servers and whoops you can exploit all the other bugs You just found which were normally not exploitable. So maybe you want to try some Try to test some other service providers. I just did like this the big in the US and in Germany and They're smart enough to Denies this access to other MMS service, but yeah, maybe you find something and whoops So now it gets interesting we have the SIML is this XML based Presentation language basically the HTML for MMS and The really cool thing about that is this is of course transported in the message body so Everything we put in the message body as I said before is not sanitized. So whoa, that's the perfect attack factor Maybe we find something there and really screw you So that's basically how a file like this looks like it's just looks like HTML the green and the red region It's going to be interesting Because yeah, there are some exploits Actually there are there the implementation is that bad that for these They just copy the stuff within the double quotes to the stack. So if you put like 600 bytes there 800 bytes whoops just on the stack. We don't care about the size This probably does the same parser which just operates on different tags So, yeah, so maybe this is a nice exploit But so how we've in order to actually send our own bad Bad MMS. We first need to build our own MMS user agent and since we know how MMS actually works This is going to be quite easy so We basically use a MMS lip to to generate some MMS thing use I use a really stupid Java library to just Handle the web stuff since yeah, I didn't really care about re-implementing the shit and Then we you have of course have to use the GPS dial up in order to connect to your service provider because The MMS really of course is not reachable from the internet. That would be so stupid or some of course sometimes the Whole infrastructure is just in a private IP range. So it's not connectable by the internet anyway So it's building a MMS user agent is actually quite easy and yeah So yeah, the zero-day We can actually use this exploit from before There the vulnerability to just you know tape Do some remote code injection over MMS? And not like the other MMS things where you just have to like install and yeah I don't it's okay that the application is not trusted You just click on it like on an email and as soon as the viewer go goes in action bang code executed So yeah, there is some So on the left side of course, it's just like the inbox and yeah, if you click on that little message whoops Yeah, so Maybe you somebody want to try this at home Yeah, so as I said, I use these two devices I I really don't know if how many devices are affected But yeah, if you want to try this there is a return address is the stack size and so the slot the slot problem I mentioned in the beginning is It's actually really really stupid So you actually have to guess on which slot memory slot the T-mail is going to be executed and What I found is like 14 16 20 24 of course hex Other common slots. So basically what you do is just not sent one One malicious MMS you just sent for and maybe the user is stupid enough to try to execute all four and at some point We will have him so yeah Have some fun with that. Oh I'm way too fast. So of course we have I've talked to Microsoft and the company X who doesn't want to have his name Mentioned but actually the name is on the slides. I submitted because they responded like very slow in the beginning so they really show that they took it seriously because Yeah, one of their VPs, of course the marketing people since they don't have one single security guy in the company He was like, whoa, we can't do that can't really he can't publish that and A pair but in the end they were actually very slow. It's a very fast story So In about a week they actually managed to bring out a fix and the fix is now sitting at the OEMs Because they need to be tested and approved because for they can be released. So as far as I know, they haven't been released So you have I guess maybe a week or two to exploit this But yeah, do it with your own devices Not with your own devices So, yeah Yeah, yeah, so some defense stuff are really really fast Of course, you could like just run a packet filter On your device on your pocket PC. I actually haven't tried that because I was way too lazy and For the MMS attack for the MMS stuff itself The ISP of course could run like an IDS or some antivirus thing which I already do but yeah, I Didn't had a problem getting messages delivered over four different ISPs So I guess they don't do any kind of detection until now Of course, you can also run like some ideas or antivirus on your phone Yeah, but yeah, I guess today is the first day they know about this. So Yeah, so yeah, and yeah And what what mobile phone providers actually should do is they should actually filter those notific SMS notifications Over SMS since actually nobody else besides them should be sending these notifications because you also can crash the application Over a real SMS and yeah, of course install firmware updates when available or soft updates so So the problem. Yeah security testing for Smartphones is like really really painful because you have this infrastructure. You have you don't have source code and In some cases. Yeah, if you're sick if you're like doing the security engineering side Then you oh hmm the MMS a user agent is actually is talking to everything like To the GPS mobile phone network and to Wi-Fi. So you really have to be careful what you're doing So we found about like 10 exploits. We actually stopped searching after we found stuff we could use for code execution We will of course post a nice advisory on the lists Yeah, and yeah, we did the first code injection against them against mobile smartphones and Yeah, there will be a major major problem in the future if the companies don't watch out of about that So We see. Oh, yeah So it was really too fast Yeah, so in the future we are go of course we have to look at other MMS implementations and And like there is a sim me and Palmer stuff the new Linux phones. We haven't really looked at that stuff And Then of course the other all the other parts of the MMS message we haven't looked at the audio video Have parsers and handlers So so many things to test and then of course you could also attack the actual MMS infrastructure There are so many different protocols in there. You can really really mess it up So Yeah, I was really too fast So we have a lot of time for questions anybody Go ahead take take the mic and So I guess we can I have time with our people here with like pocket PC phones So we can do some demo if you have wireless on I can do that Huh, is it on? How off does the phone have to be like the like airplane mode and Wi-Fi all you know to for for the Wi-Fi stuff, of course, you just turn off Wi-Fi and then You're secure against the Wi-Fi based stuff, but for the MMS stuff Yeah, you have to not read MMS. That's the only thing So just leave it in airplane mode Yeah, but then your phone is like off and not usable. So you should basically use a PDA maybe When you're testing and you found that all the major carriers prevented the client from connecting to a rogue server Did you try running a server like on on a device that's actually on their network like another cell phone or yeah, we tried We tried that but not with all providers with some and Yeah, I guess the European one the US providers are really up-to-date with their MMS stuff But I found online in there in the MMS actually developer forums online They give you so much nice information and people are oh, yeah, I think like in the former eastern block countries I think some the some providers though just to run totally open networks But apparently that the German and US stuff there was open I think until two years ago because I saw posts where people just are I want to play with MMS and people are just like reconfigure the MMS server Just go ahead So how about the future? What about FIBO is it super secure because I have a personal This kind of hits me personally because I do have a FIBO phone, but no wireless is not on Yeah, I only yeah Well, yeah, so It was so I never actually had like a FIBO phone, but a friend told me that apparently FIBO is completely compiled with stack protection Yeah, I really don't know some some people looked at it and they saw there is no way in so I Haven't looked at it. I cannot say anything but You should be able to at least credit and be able to crash the application over UDP Since the how is that possible because the exploit is based on MMS I mean does it does 5.0 somehow look at the header as well as the body? No, so if you yes that protection just like checks that if you overwrite the stack The function address doesn't the function doesn't return so your code is not executed. So it basically just gets Converted to a DOS attack Which is kind of stupid over MMS since you actually have to pay for it, but the UDP attacks should still work Yeah, I yeah, I really haven't tested anything about 5.0. So Maybe I can get a 5.0 device and Look at it preferably not mine appreciate it The fuzzer you use did you write that yourself or did you use another application? And if you wrote it will you be releasing it what what application the fuzz the fuzzer you use? Yeah, we will that will take some more time since it's actually a university project and we have like a scientific paper on it So we keep it until then but it's going to be released this year The other application that the DOS tools everyone can try it out will be released later As soon as they get off stage, I will try to put it online To what there was updated slides and one other quick question Are there other services that you're attacking or is it just in a mess that you're just just looking at MMS? Anybody else? I Guess I still have like ten minutes or something No, no dance So any volunteers for like putting up there Firing up their wireless No, not on stage So no no volunteers or I actually thought like people were like screaming to like volunteer for stuff Normally people always want to volunteer and like oh, yeah, I want to do the thing with the guy on stage, but Not it's your phone. Huh? Please use a mic Okay, I guess I'm like totally under time. Oh another question Thanks, so I can't don't get in trouble with the Defcrime crew I was just saying could you expand a little bit more on the SMS ports thing? Is that that's in standard SMS messages. There's like a port field or something Yes, exactly, but like there's the attacks over SMS itself. That's Not as interesting because you actually have to pay for it Yeah, so the thing is the SMS ports are so the whole part thing for the web post I just Murd one-to-one between SMS and UDP. So it's basically they just map it to the same part So you can send it over UDP and According to the Microsoft security guy, we're just following the standards I Volunteer my phone for a demo for two Just just hook it up to the DevCon network and I will do this I have to just have to hook up my laptop to the DevCon network And yeah, I don't need your IP since Microsoft accepts actually messages sent to the broadcast address So you don't have to search So you actually don't have to search. You're just like, yeah I have a question why you're thinking about that Do you have any idea why Microsoft allowed the UDP? Notification messages like you can you have any thoughts about what their Reasoning might have been because because they're just following the standards That's what that what I was told Oh, you have five oh Let's see. So is your device on you don't see anything on my laptop Yeah, it's giving me the IP for now. Do you get anything? It's still nothing bummer Anybody with a 4-2 device? Okay, so I guess I Guess that's it five minutes early, but