This post in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load) messages. An attacker can send a message containing a URL to an executable, the executable will be automatically downloaded and executed WITHOUT any user interaction. The problem is that HTC disabled the security settings for these kinds of WAPPush messages, normally a device should only accept these kinds of messages from trusted originators (e.g. your service provider - don't know if I want this either).
The fix to this problem is very easy as it just requires modification of a few keys in the mobile phones registry (yes Windows Mobile has a registry). (The steps to do this modification is described in the original advisory.)
The bug is kind of similar to one of the MMS-based bugs I discovered 2 years ago where the Windows Mobile devices would accept WAPPush messages over UDP (WiFi).
This WAPPush auto execute configuration bug is really bad since it would allow anybody to write a very simple worm that only needs to send WAPPush messages (SMSs) to spread. The victim device than downloads and executes the worm binary from the Internet.
They even made a demo video, also you don't see too much.
Some open questions from my side:
- Is it really only HTC devices?
- Is it only Windows Mobile 6?
- Does this work via WiFi (like my notiflood tool)?
Slientservices.de Author's website