Defcon: Attack on PocketPC Smartphones using MMS messages
The dust had hardly settled from the Black Hat conference before the next round of bad news poured in from the follow-on Defcon hacker trade fair in Las Vegas. In his speech on "Advanced Attacks Against PocketPC Phones", Collin Mulliner from Trifinite demonstrated how a manipulated MMS can infect a device with malicious code. Unlike mobile worms, where the user must explicitly agree to the installation of a received SIS file, Mulliner's attack exploits two buffer overflows in the SMIL parser of WindowsCE. SMIL (Synchronized Multimedia Integration Language) is based on XML and determines how the content of an MMS message is depicted in the client.
Mulliner used fuzzers to discover one buffer overflow each in the processing of the REGION and TEXT tags. He then used them to overwrite the return address for the stack, which started the planted code. The victim needed only open a specially prepared MMS for reading. Mulliner also reported finding further potential holes in the MMS functions of WindowsCE, but indicated that they could not be exploited remotely because the MMS header needs to be manipulated. Messages of that kind would get stuck in the MMS gateways of the mobile phone providers.
Microsoft and the makers of the MMS client have been informed of the problem and are working on a solution, which is supposed to be available in the coming weeks. The OEMs must also sufficiently test the update before it can be released.
Mulliner also presented NotiFlood, a DoS tool that can be used to inform a PocketPC Smartphone via WLAN about MMS messages to be received. Unlike text messages, an MMS does not immediately arrive on the mobile. The user is instead informed that an MMS is ready to be retrieved. The tool creates several hundred of these messages, which strains a device's storage.