mobile device
August 21, 2008
Risk Level:
Medium - Full TCP/IP access via RNDIS protocol over USB from
Windows Mobile device.
Summary:
With the introduction of ActiveSync 4.x, Microsoft significantly
altered how the Windows Mobile device communicates with the host PC.
SF> August 21, 2008
SF> Risk Level:
SF> Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.
SF> Summary:
SF> With the introduction of ActiveSync 4.x, Microsoft significantly
SF> altered how the Windows Mobile device communicates with the host PC.
Vendors contacted: HTC (and MITRE - CVE ID)
-- Vulnerability description:
The default Twitter client (or application) in HTC mobile devices is called HTC Peep. HTC Peep is vulnerable to two different credentials disclosure vulnerabilities during the authentication process against the Twitter service (twitter.com).
During the authentication process, the HTC Peep app establishes an HTTP (TCP/80) connection against the twitter.com servers, sending a few HTTP OAuth-related requests. The first two HTTP GET requests try to gather and make use of an OAuth token: "GET /oauth/request_token" (the response contains the "oauth_token") and "GET /oauth/authorize?oauth_token=...".
The first vulnerability resides in the third HTTP request, a POST request towards the "/oauth/authorize" resource, which contains several parameters, including the Twitter username and password in the clear, making the authentication process vulnerable to eavesdropping attacks:
I. Description
The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device.
Palm has patched this vulnerability and all users are recommended to upgrade to WebOS version 1.2+.
Palm WebOS 1.2 patch information can be found here: http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#12
II. Impact
A vulnerability has been discovered in the SMS handler. If a
malicious message with no sender was received by a user on their
device, the user may be enticed in taking action or clicking the
URI that could lead to a second order attack.
Mitigating Factors: By default Windows mobile device policy require
SI messages to be authenticated. The Mobile Operators have the
ability to change the policy to not requiring authentication in
order for 3rd party ring tones and other SI messages.
Microsoft will look into a different architecture in future versions.
Ruxcon would like to invite people who are interested in security to submit a presentation.
Topics of interest include, but are not limited to:
o Mobile Device Security
o Virtualization, Hypervisor, and Cloud Security
o Malware Analysis
o Reverse Engineering
o Exploitation Techniques
o Rootkit Development
Just my two cents, but...
Many mobile providers are implementing caching on their proxies to make
up for the overpopulated state of their networks, and depending on how
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.
If, for example, facebook set the cookie in a non https session, or in
* Biometrics
* Digital Forensics
* Exploitation Tactics
* Java & .NET Security
* Malware Analysis
* Mobile Device Security
* Operating System Security (7, XP, Vista, GNU/Linux, OS X, Plan 9, *BSD, …)
* Personal Area Network hacking
* Rootkit Detection, Techniques, and Defenses
* Source Code Auditing & Review
* Steganography & Cryptography in Information Security
Vendor Response:
There is a security vulnerability that could allow for Denial of
Service (DoS) by sending a specifically crafted TCP/IP packet to the
mobile device. However most attempts to exploit this vulnerability
would result in a Denial of Service Condition on the networking
capabilities of the device.
The following devices may be vulnerable to this issue:
There is a fairly in depth discussion of the issue here:
http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars
Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.
*********** REPLY SEPARATOR ***********
On 1/16/2010 at 7:39 AM Michael Scheidell wrote:
Description:
The vulnerability exists when an attacker is able to intercept the
initialization request and response bodies sent to and from the mobile
device to the server.
An attacker that is capable of intercepting the encrypted request/response
pair will also be able to derive time stamp information.
Since the key generation algorithm seeds a pseudo random number generator
Platform:
Tested on Minimo .016 and .2 Windows Mobile Pocket PC 2005 and Firefox
2.0.0.6 Windows XP SP2
Requirements:
Mobile device running Windows Mobile Pocket PC or Firefox 2.0.0.6 on XP
Credits:
Seth Fogie
Airscanner Mobile Security
http://www.airscanner.com
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
As described above, the attacker can take three risky actions:
- Browse directories located out of the limits of the default shared folder and discover sensitive information about the structure of the filesystem.
Ruxcon would like to invite people who are interested to submit a presentation.
Topics of interest include, but are not limited to:
* Mobile Device Security
* Virtualisation, Hypervisor and Cloud Security
* Malware Analysis
* Reverse Engineering
* Exploitation Techniques
* Rootkit Development
We are still interested in talks, especially within some narrow areas:
1. Hybrid-wordlist-mangling ruleset construction logic for tools like
JtR, *hashcat and others
2. Mobile device password bypass, such as forensics tools to extract MS
activesync (or similar) data from iPhones, Android, Blackberry, Symbian,
WP7 etc.
3. Biometric authentication, especially blood vein authentication
(fingerprint is *so* 00's), as a replacement to old-style password
Ruxcon would like to invite people who are interested in security to submit a presentation.
Topics of interest include, but are not limited to:
o Mobile Device Security
o Virtualization, Hypervisor, and Cloud Security
o Malware Analysis
o Reverse Engineering
o Exploitation Techniques
o Rootkit Development
Ruxcon would like to invite people who are interested in security to submit a presentation.
Topics of interest include, but are not limited to:
o Mobile Device Security
o Virtualization, Hypervisor, and Cloud Security
o Malware Analysis
o Reverse Engineering
o Exploitation Techniques
o Rootkit Development
* Biometrics
* Digital Forensics
* Exploitation Tactics
* Java & .NET Security
* Malware Analysis
* Mobile Device Security
* Operating System Security (7, XP, Vista, GNU/Linux, OS X, Plan 9, *BSD, …)
* Personal Area Network hacking
* Rootkit Detection, Techniques, and Defenses
* Source Code Auditing & Review
* Steganography & Cryptography in Information Security
* Topics
Topics of interest include, but are not limited to:
o Mobile Device Security
o Virtualization, Hypervisor, and Cloud Security
o Malware Analysis
o Reverse Engineering
o Exploitation Techniques
o Rootkit Development
|
