Tuesday, October 21 2008
in the XDA-Developers forum shows that Windows Mobile 6 on HTC devices is
vulnerable to malicious WAP Push SI (Service Indication) and SL (Service Load)
messages. An attacker can send a message containing a URL to an executable, the
executable will be automatically downloaded and executed WITHOUT any user
interaction. The problem is that HTC disabled the security settings for
these kinds of WAPPush messages, normally a device should only accept
these kinds of messages from trusted originators (e.g. your service
provider - don't know if I want this either).
The fix to this problem is very easy as it just requires modification of
a few keys in the mobile phones registry (yes Windows Mobile has a registry).
(The steps to do this modification is described in the original advisory.)
The bug is kind of similar to one of the MMS-based bugs
I discovered 2 years ago where the Windows Mobile devices would accept
WAPPush messages over UDP (WiFi).
This WAPPush auto execute configuration bug
is really bad since it would allow anybody to write a very simple worm
that only needs to send WAPPush messages (SMSs) to spread. The victim
device than downloads and executes the worm binary from the Internet.
They even made a demo video, also you don't see too much.
Some open questions from my side:
- Is it really only HTC devices?
- Is it only Windows Mobile 6?
- Does this work via WiFi (like my notiflood tool)?
Slientservices.de Author's website