Vulnerability Report ------------------------------------------- Vendor: HTC Product: TouchFlo Version: 1.0 (1820.1830) Platform: Windows Mobile Device (tested): HTC Touch 3G Application: TouchFLo GUI for Windows Mobile Smart phones Application Binary: Manila2D.exe ------------------------------------------- Reporter(s): Collin Mulliner Charlie Miller ------------------------------------------- Executive Summary: Format string vulnerability in display/parsing of SMS plain text messages. Leads to Denial-of-Service and possible arbitrary code execution (untested). ------------------------------------------- Disclosure Time Line: July 29. 2009 : Live on stage at Black Hat USA 2009 due to missing security contact at HTC ------------------------------------------- BugFix: Firmware update to ROM Build 1.00.19153530.00 (for HTC Touch 3G) ------------------------------------------- Technical Details: Any SMS message sent to a HTC Windows Mobile phone that rungs the affected HTC TouchFlo version that contains "%n" triggers the vulnerability. This can be done by just typing "%n" into any mobile phone's SMS application and hitting the send button. The visual effect of such an SMS message is that TouchFlo simply crashes. The crash is visible through an error message and the question for allowing to send a crash report to Microsoft. After sending/canceling the crash report the OS tries to restart TouchFlo the restart fails and the crash screen is shown again. The effect is that TouchFlo just stops working at all. Therefore rendering the device not usable (for most end users). The reason for this continuous crash is that SMS messages are stored in the global SMS database maintained by the default SMS application (tmail.exe). TouchFLO simply reads SMS messages from this database and displays them to the user. On startup TouchFLO reads the database and parses the messages. Therefore as long as the "corrupt" SMS is in the database TouchFLO crashes as soon as it tries to read the this particular message. ------------------------------------------- Recovery: The easiest way to recover is to use the build-in SMS application to delete any SMS message that contains "%n" from the SMS database. The SMS application can be reached via the "Start" button on the top left of the screen. ------------------------------------------- Related Black Hat 2009 slides are available from: http://www.mulliner.org/security/sms/