Archive for January, 2009

Wappush!

Friday, January 23rd, 2009

WAP Push service can be used for delivering unsolicited data to the handset, and is typically used by Operators for providing advanced services (eg: e-mail, MMS).

The MSL-2008-001 advisory reports a Denial of Service vulnerability discovered in several SonyEricsson handsets, that allows an attacker to remotely reboot a vulnerable handset by sending a malformed WAP Push message.
Both SMS messages and UDP datagrams can be used as a transport mechanism for delivering WAP Push messages.
The vulnerability can be remotely triggered both via SMS and UDP; in the latter case the malformed message need to be sent to port 2948, that has been found open on all the handsets listed in the advisory.

The risks associated to an “UDP-based” attack scenario are not negligible in case the Operator allows reachability of the handset IP address, without doing proper filtering.
An attacker may be able to remotely reboot the handset by simply sending a carefully crafted IP datagram to the handset IP address.

Additionally:
– the handsets accept IP packets directed to a broadcast address. If broadcast packets are allowed in the network, a single UDP datagram may be sufficient for rebooting all the handsets in the target subnet.
– UDP protocol is connectionless and a single datagram is sufficient for triggering the vulnerability. Under these conditions source IP spoofing is possible, increasing the difficulties of implementing proper firewall policies and attackers tracking.

In the “SMS-based” attack scenario, an SMS, carrying the malformed WAP Push message, is able to trigger the vulnerability.
The SMS buffering performed by the Operator network brings, as a side effect, the possibility for an attacker to perform an extended Denial of Service attack against a single target.
In facts, if multiple SMS are sent to the victim, the first one will reboot the handset making it unavailable for receiving further messages.
The other messages will queue on the network side and delivery will be attempted as soon as the handset re-attaches to the network, leading to continous rebooting.
This may allow an attacker to effectively disable the use of the handset for an extended period of time.

(more…)