vulnerability

Windows Phone 7 browser exploit demoed

November 22, 2011 | By Surur

Alex Plaskett from MWR Labs have demoed a browser exploit in the pre-Mango Internet explorer which in combination with vulnerable code in HTC’s drivers can result in full kernel-mode access, which can be used to install rootkits, eavesdrop on a user or of course could be used to jailbreak the device.

Interestingly the browser vulnerability itself still does not allow full access to the OS, as it runs with least privileges, hence the requirement for the second vulnerability.

The hack also had to to defeat Address Space Randomization and eXecute Never flags.

The Mango update fixes the vulnerability and makes it more difficult to find new ones, but of course no platform is ever 100% secure.  However MWR Labs lay a lot of the blame on OEM code, which they note have many more exploits that Microsoft’s native code. This problem did not go away with Mango.

Alex recently presented the hack at Microsoft’s BlueHat Redmond Security Brief and I am sure Microsoft is already hard at work making the OS more secure, as there recent job postings suggest.

8

Apple’s iPhone has a worm, 3 million at risk

November 13, 2009 | By Surur

iworm

With what must have been startling rapidity what started out as a proof of concept exploit of jailbroken iphones has turned into a security nightmare for iPhone owners, with the worm, called iPhone/Privacy.A having the ability to allow hackers to connect to any jailbroken iPhone, act silently and retrieve e-mail messages, SMS messages, calendar appointments, contacts, photos, music files, videos, along with any other data recorded by by iPhone apps.

An estimated 3.2 million iPhones are vulnerable to this exploit, and while mitigating steps, such as changing the root password, is available, this is said to break many applications designed for jailbroken iPhones which are written to take advantage of a hardcoded password. As a mitigating step it also of course leaves those iPhones vulnerable to dictionary attacks commonly used to attack machines on the internet.

Jailbraking iPhones is relatively common, as it is the only way to access needed functionality like multi-tasking and desirable features such as customizing the user interface.

At present there are no antivirus applications for the iPhone.

Read more at Intego here.

8

MMS vulnerability allows Sender to be spoofed

September 14, 2009 | By Surur

adv04-2009

Michael Mueller a.k.a. c0rnholio has discovered a wide spread vulnerability in mobile phone MMS software, including Windows Mobile versions, where the software will trust the meta data of a MMS message to generate the From Address, instead of the actual number of the sender.

This vulnerability does not affect all networks, only ones where the MMS notification is sent directly from one phone to another.

On these networks this problem can be particularly dangerous however, as a MMS network can claim to be from a trusted sender such as your carrier and ask you to download software which can compromise your phone.

The vulnerability affects Windows Mobile, RIM , Sony Ericsson and likely other platforms also.

Read the full disclosure at SilentServices.de here.

4

HTC refuses to fix Bluetooth FTP vulnerability

July 11, 2009 | By Surur

HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder. We wrote about this vulnerability in January this year, but since then HTC has done nothing to fix it.

The vulnerability is in a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects HTC devices specifically. HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version. Other vendors of Windows Mobile devices such as ASUS, Samsung, LG are not affected.

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

An attacker can discover the structure of the file system and access to any directory within it, including:
- The flash hard drive
- The external storage card
- The internal mass storage memory, included in specific HTC devices

2) Download files without permission

An attacker can download sensitive files located anywhere in the file system, such as:
- personal pictures and documents located in \My Documents or any other directory
- Contacts, Calendar & Tasks information located in \PIM.vol
- Temporary internet cache and cookies located in \Windows\Profiles\guest\
- emails located in \Windows\Messaging

3) Upload malicious files

An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile boots.

You can find a list of tested HTC devices proved to be vulnerable are available here.

The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors Windows Mobile devices are not affected.

HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw.

This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

Mitigation by users would be not to accept pairing nor connection requests from unknown sources and delete old entries in the paired devices list.

Read more at Packetstormsecurity here.

4

Windows Mobile feature being used to spy on users

May 22, 2009 | By Surur

spy Back in the old days of PocketPC 2003 windows mobile has ‘push’ e-mail driven by SMS messages. A SMS would be sent by the server when new e-mail arrives, silently activating synching by your smartphone.

It seems this code is still lurking in the bowels of Windows Mobile, and this feature has now seem misuse by a tool called HushSMS.

HushSMS  sends a class zero message (aka Flash-SMS) or a stealthy PING message to another Windows Mobile cell phone.

The message is discarded on the owners phone and no trace exists. The sender will get back a message from the operator that the message has been delivered, proving that your message has been received, and thus you can know that the owners phone is switched on.

While the information provided, that the receiving phone is on, is very limited, one can think of many situations where one would not want to be monitored in this way. Calling it a vulnerability is likely overblown (unlike the recent Nokia bug where a specially crafted SMS would kill all reception of SMS messages until the phone was hard reset) but its a feature which should be under the control of users, and like most network features, disabled by default.

Read more about the issue at this Computerworld article here.

3

Major security hole in WM5, WM6 bluetooth stack

January 20, 2009 | By Surur

Security Researcher Alberto Moreno Tablado has discovered a major hole in the bluetooth stack of Windows Mobile 5.0 and Windows Mobile 6.0 phones.

Apparently the weakness is in the bluetooth FTP service, which allows another authorized and paired bluetooth device to browse specific specified directories on your Windows Mobile phone. This can be very useful for copying files to and from your smartphone from your desktop for example wirelessly.

Unfortunately it seems the service has a Directory Transversal Vulnerability, meaning an attacker does not have to be confined to the specified and safe directories, but can break out of the sandbox and copy files to and from anywhere on your smartphone.

Alberto gives the example of copying the PIM.vol file from the root of your device, meaning the attacker now has your all your contacts, calender and tasks, or being able to place a trojoan.exe in your \windows\startup directory.

Microsoft has just been notified of the issue, and has as of this writing not responded to Alberto yet.

Currently there no known patch, and Alberto has not tested Windows Mobile 6.1 to see if its vulnerable yet, but given the similarities of the versions this is quite likely. The only mitigating factor for now is that only authorized and paired devices are allowed to use the Bluetooth FTP service at the moment, and Alberto advises Windows Mobile users not accept pairing prompts from strangers.

Read the full security bulletin here.

7

PSA – lock up your Symbian phone (or it will be done for you)!

December 31, 2008 | By Surur

We don’t normally report too much on the other platforms, but this news via unwiredview.com is just too important not to bring to the attention of our readers.

Apparently millions of Symbian S60 phones are vulnerable to having their text and MMS messaging functions completely disabled simply by sending them a well-crafted SMS message. The Denial of Service exploit affects all S60 2.6, 2.8, 3.0 and S60 3.1 devices and the only fix is via a hard reset.

The “Curse of Silence” exploit, as it has been named, is demonstrated in the video below:

At present there is no known remediation but its likely Nokia will come up with a patch shortly. It is however unlikely most handsets with roll it out, meaning over the New Year many mobile phones will fall silent, possibly forever.

3

Scan QR Codes, UPC, EAN, Code 39/128 or ITF barcodes on your Windows Phone 7 to find best prices online. Enjoy slots? Blackjack? Video Poker? Play Crazy Casino FREE! #1 FREE Solitaire on WP7 If your a fan of Pong then you will love this game. Heavenly Skies. Save the universe! Are you ready? A rewarding mix of match 3 and tetris gameplay Free, Live Tile support for Word Of The Day and so much more. Why NOT try it out? Set up reminders with only two taps. Supports also text reminders and voice reminders. Download the best puzzle game in WP7 Marketplace for FREE! Are you a good Alchemist ? Use your brain to discover Atomic Energy, Chuck Norris, Angry Birds and 1400 more ! Fun puzzle game with over 150 levels! Fully featured, beautifully designed WP7 YouTube app. u.n.i MEGA PACK (FREE), the ultimate addictive top GAMES bundle for Windows Phone 7! 7+ and growing! Highly addictive word game designed for adrenaline junkies. Practice locally, but then are you fast enough to compete online? Livescape is an activity and nutrition journal that features GPS tracking and the ability to count steps! Google RSS reader Windows Phone WP7 The smartest Google reader app. Air Soccer Tour Air Soccer Tour - Addictive FREE swipe soccer game. Win the world cup. Beat the Story Mode. When your done Bring your skill online. Rank up by winning online matches. Have 1 on 1's with anyone! Global Online Multiplayer! Never miss a bill again, now with a double-sided Live Tile and pop-up reminders. Newest devices leaks, online charts and ultimate performance benchmark for every Windows Phone. Every day, get great app deals from Windows Phone developers pushed to you! Quick Tiles, a fully featured live tile editor for Windows Phone. Great sports app for NFL, NBA, MLB, NHL. Pin scores/games to live tile on your home screen. Local 1777 Ringtones , Zedge , Record and Save Ringtone ,Secret Voice Recorder and 7 Different Piano and Xylophone..Try Now.. MobileFax gives you the opportunity to send fax pages from your mobile phone anytime, anywhere ! Wheel of Wealth is a multiplayer turn based game based on the hit TV show Wheel of Fortune. Embark on an adventure to locate the long lost Golden Chalice! Enjoy a better WP7 experience with better & simpler apps The most engaging weather experience with gorgeous live animations, simple intuitive Metro UI, live tiles, detailed weather data and much much more.

Promote your app on WMPoweruser.com
Latest WMPoweruser.com Forum Posts
Wholesale Cell Phones

Nokia LCD, Flex Cable, Wholesale phone parts trusted supplier.

GSM jamming devices like Cell Phone Jammer from reliable supplier Jammer Store

Find the latest mobile phones at the cheapest prices at mobilephones.org.uk
OEM Samsung Accessories
See The Smartphone Database for the latest smartphone specs.

Windows Phone 7 Apps

Privacy Policy |About| Contact us

Copyright © 2012. All Rights Reserved.