Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009
Description:
A MMS Notification is part of the MMS communication flow. Usually an originator sends and
mms via a service provider (SP). After uploading the message to the SP, the recipient gets a
MMS notification from the SP with information like originator, subject and URL of the content.
In some mobile carrier networks it is allowed to send MMS notifications directly from one mobile
unit to another.
Some Smartphones fail to properly display the originator of this kind of message which leads
to a sender obfuscation.
Impact:
This attack can be used in combination with social engineering to mislead the recipient to
access the resource specified in the content URL of the MMS notification message. If the
receiving device MMS client is configured improperly this could lead to automatically download
whatever content is specified in the content URL. MMS clients which do not allow access to
content URLs other that the providers MMS proxy should be safe from the content, but are still
vulnerable to the sender obfuscation.
In addition this attack can be used to send spam and hate SMS.
Sample Screenshot:
Tested Devices:
The following devices have been tested and found vulnerable for this kind of attack:
It is very likely that other devices and vendors are also vulnerable to this attack.
– Blackberry (Tested on BB 8800, Firmware: 4.5.0.37)
The BlackBerry fails device fails to properly display the originating number and displays whatever
information is defined in the originator and the subject field of the MMS notification.
– Windows Mobile (Tested on WM5, WM6, WM6.1, WM6.5)
A Windows Mobile driven device fails to properly display the originating number and displays whatever
information is defined in the originator and the subject field of the MMS notification.
– Sony Ericsson W890i, W810i
The Sony Ericsson W890i and W810i device fails to properly display the correct originating number and
displays whatever information is defined in the originator and the subject field of the MMS notification.
Proof of Concept:
The following PDU can be sent to an affected device:
UDH: 05 04 0b 84 23 f0
Message:
7c 06 03 be af 84 8c 82 98 31 32 33 34 00 8d 90 89 0e 80 45 76 69 6c 20 48 34 78 30 72 00
96 67 6f 74 20 72 30 30 74 3f 00 8a 80 8e 01 56 88 05 81 03 09 3a 80 83 63 68 65 63 6b 20 79
6f 75 72 20 6d 6d 73 20 63 6c 69 65 6e 74
The above PDU will display as follows (example on Windows Mobile target):
Sender: Evil H4x0r
Subject: got r00t?
Use pduspy to send it. In addition HushSMS Version 1.0 will be available soon for
Windows Mobile devices for further tests.
Leave a Reply
You must be logged in to post a comment.