FuzzingthePhoneinyourPhone

CollinMulliner
SecurityinTelecommunications

TUBerlin/TLabs collin@sec.tlabs.tuberlin.de

26c3 Berlin,Germany December28th2009

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Aboutme

PhDStudentatTUBerlin Specializedinmobileandsmartphonesecurity Previouswork:

MMSremoteexploitforWinMobilein2006 Hacked:WinMobile,Symbian,iPhone,NFC,Bluetooth, tonameafew.

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

MyCoAuthor

CharlieMiller

SecurityResearcheratIndependentSecurityEvaluators FirstonetohacktheiPhoneandG1Phone Pwn2Ownwinner2008and2009

Claimtofame:

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Agenda

SMS FuzzingSMS iPhoneinjection Androidinjection WinMobileinjection Somefuzzingresults

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMSShortMessageService

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMS

Usesextrabandwidthincontrolchannel(usedfor establishingcalls,status,etc.) Messagedatalimitedto140bytes(1607bitchars.) Commonlyusedfortextmessages Canalsodeliverbinarydata:

OTAconfiguration Ringtones

Buildingblockfortheessentialmobilephoneservice

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

WhypickonSMS?

SMSisreceivedbyandprocessedbyalmostallphones Nowaytofirewallit(andstillreceivecalls/texts) SMSisprocessedwithnouserinteraction

Serversideattacksurfacewithnofirewall,a1990's flashback!

Canbetargetedwithonlyaphonenumber! SMSfirewalls/filtersexistonthenetworkbutthoseon thephonesaretoohighinthestacktoprotectagainst theseattacks

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

ThelifeofanSMSmessage

MessageissentfromthedevicetotheShortMessage ServiceCenter(SMSC) TheSMSCforwardstotherecipient,eitherdirectlyor throughanotherSMSC SMSCwillqueuemessagesifrecipientisnotavailable Deliveryisbesteffort,noguaranteeitwillarrive

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Onthedevice

Phoneshave2processors,applicationprocessorand modem Modemrunsaspecializedrealtimeoperatingsystem thathandlesallcommunicationwiththecellular network CommunicationbetweenCPUsvialogicalseriallines TextbasedGSMATcommandsetisused

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Lookinginside

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

ContinuedlifeofanSMS

WhenanSMSarrivesatthemodem,themodemuses anunsolicitedATcommandresultcode Thisconsistsof2linesoftext

Theresultcodeandthenumberofbyesofthenextline TheactualSMSmessage(inPDUmode)

+CMT:,30 0791947106004034040D91947196466656F800009010821142 15400AE8329BFD4697D97D9EC377D

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

APDU
0791947106004034040D91947196466656F80000901082114215400AE8329BFD4697D9EC377D

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Butthereismore

ThepreviousPDUwasthemostsimplemessage possible,7bitimmediatealert(i.e.atextmessage) CanalsosendbinarydataintheUDfield ThisisprefacedwiththeUserDataHeader(UDH)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

UDHexample
050003000301

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

UDHexample
050003000301

Concatenatedmessages

Cansendmorethen140/160bytes IEI=0concatenatedwith8bitreferencenumber IEDL=033bytesofdata Referencenumber=00 Totalnumberofmessageparts=03 Thismessagenumber=01

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

OthercommonUDHIEIs

IEI01=voicemailindicator IEI05=portnumbers(applicationscanregisterthem)

Port5499=iPhonevisualvoicemail

allntxacds12.attwireless.net:5400? f=0&v=400&m=XXXXX&p=&s=5433&t=4:XXXXXX:A:I ndyAP36ms:ms01:client:46173

Port2948=WAPpush

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

PDUSpy

http://www.nobbi.com/pduspy.html

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

FuzzingSMS

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Fuzzing101

Createmalformedinput

Takeexistinginputandmutateit Createinputsfromscratch(fromRFC,forexample)

Sendtotarget Monitorforfaults Gotostep1

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Unmannedfuzzingexploration

Theultimategoalofafuzzingharnessiscomplete automation

Recordinterestingeventsforhumananalysis Detectandrestartifservicehangs/crashes HandledialogueboxesandotherUI Rebootifnecessary

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Creatingtestcases

CantakesomesamplePDUsandmutate

Thesearen'texactlyeasytofind!

Mightaswelluseourknowledgeofprotocolto generateintelligenttestcases WecanuseSulleyfuzzingframework

ThisishowCharliedidit ThisishowIdidit

BuildaSMScraftinglibrarytogeneratemessages

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMScraftinglibrary

SupportSMS_DELIVERandSMS_SUBMIT

DELIVERisusedforfuzzing! CangenerateandparsePDUs PortAddressing8+16bit Multipartmessages Indication(voicemail,etc...)

UDHsupport,IEIs:

AllPDUfieldscanbeautofilledorsetbyhand!

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SomeSMStestcases

Multipartmessages Portaddressing

Portscanningsendrandomdatatoeveryport WAPPushsendlessrandomdatatoport2948 BuildanumberofUDHswithvalidlengthfieldsand randomdata,putallUDHsinsameSMSmessage

UDHbomb

Voicemailindication

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMSlibrary

Addonutilitiestostore,load,andsendtestcases to/fromafile WritteninPython WasreleasedinSeptember http://www.mulliner.org/security/sms/

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Sendingthetestcases

Couldsendovertheair

Costs$$$$/ Telcosgettowatchyoufuzz Youmight(makethatWILL)crashTelco'sequipment Thatishard! Wouldbeverydevice/firmwaredependent

Couldbuildyourowntransmitter

Couldinjectintotheprocesswhichparses

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMSinjection

WeManintheMiddlethechannelbetweentheapplication processorandthemodem Cansendmessagesquickly Itsfree Requiresnospecialequipment Thereceivingprocessdoesn'tknowthemessagesweren'tlegit Telco(mostly)doesn'tknowitshappening Warning:resultshavetobeverifiedoverthecarriernetwork

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMSinjection

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

GetSMSsniffingforfree

LogATcommandsasyouforwardthem UsefulforRE'ingappsthatregisterSMSports,vendor, specificSMSdata,etc...

ssfd3connected /dev/dlci.spibaseband.3opened ssfd4connected /dev/dlci.spibaseband.4opened csfd3tofd3write5bytes ate0^M +++ csfd4tofd4write5bytes csdf3tofd3write35bytes 00100b8.....

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Speakingoffree...

Freetotestwiththeinjector WesentthousandsoffuzzedSMS'sduringfuzzing WesentthousandsoffuzzedSMS'sduringexploitdev Injectormakesthiswholethingpossible

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneinjection

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneSMSfunfact

TheCommCenterprocessisresponsibleforhandling SMSandTelephonecalls.Itrunsasrootwithno applicationsandbox.

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneSMS

CommCentercommunicateswiththemodemusing16 virtualseriallines /dev/dlci.h5baseband.[015](2G) /dev/dlci.spibaseband.[015](3G)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

ManintheMiddle

UseLibraryPreloadingtohookbasicAPI com.apple.CommCenter.plist:

... <key>EnvioronmentVariables</key> <dict> <key>DYLD_FORCE_FLAT_NAMESPACE</key> <string>1</string> <key>DYLD_INSERT_LIBRARIES</key> <string>/System/Library/Test/libopen.0.dylib</string> </dict> ...

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Open(highlights)
#defineFD3/tmp/fuzz3.sock Intopen(constchar*path,intflags,) { real_open=dlsym(RTLD_NEXT,open); if((strncmp(/dev/dlci.h5baseband.3,path,23)==0|| (strncmp(/dev/dlci.spibaseband.3,path,24)==0)){ structsockaddr_unsaun; fd=socket(AF_UNIX,SOCK_STREAM,0); saun.sun_family=AF_UNIX; strcpy(saun.sun_path,FD3); intlen=offsetof(structsockaddr_un,sun_path)+strlen(FD3); connect(fd,&saun,len); fd3=fd; }else{ fd=real_open(path,flags); } returnfd; }

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Theinjection

CommCenterthinksitopenedtheserialline,but actuallyitopenedupaUNIXdomainsocket Adaemonrunswhichopensuptherealseriallineand copiesalldatatoandfromtheUNIXdomainsocket DaemonalsolistensonTCPport4223andwritesall datareadfromtheportonthesocket Therefore,caninjectATcommandoverTCP

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SendingPDUs

defsend_pdu(ip_address,line): leng=(len(line)/2)8 buffer=\n+CMT:,%d\n%s\n,%(leng,line) s=connect((ip_address,4223)) s.send(buffer) s.close()

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Detectingcrasheswith CrashReporter
defcheck_for_crash(test_number,ip): Commcenter='/private/var/logs/CrashReporter/ LatestCrash.plist' Springboard='/private/var/mobile/Library/Logs/ CrashReporter/LatestCrash.plist' command='sshroot@'+ip+'cat%s2>/dev/null;cat%s 2>/dev/null'%(commcenter,springboard) c=os.popen(command) crash=c.read() ifcrash: clean_clogs() printCRASHwith%d%test_number printcrash time.sleep(60) else: print'.', c.close()

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Finalchecks

TomakesurethedeviceisstillhandlingSMS messagessendalegitmessagebetweeneachtestcase andmakesureitisprocessed SMSmessageshowupinthesqlitedatabase/private/ var/mobile/Library/SMS/sms.db Displaycontentsoflastmessagereceived:

#sqlite3line/private/var/mobile/Library/SMS/sms.db 'selecttextfrommessagewhereROWID=(selectMAX(ROWID) frommessage);'

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneIEIsupport

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Androidinjection

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Androidfuzzingfunfact

ProcesswhichhandlesSMSisaJavaapp:(

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

AndroidMITM

Renameserialdevicefrom:/dev/smd0to /dev/smd0real Startinjectordaemon,daemonwillcreatefake /dev/smd0 Kill933(kills/system/bin/rild) Whenrildrestartsittalkstotheinjectordaemon via/dev/smd0

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Sendingtestcases

IdenticaltoiPhonecase,useTCP4223

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Crashmonitoring

MonitoroutputofADB(AndroidDebugBridge)

logcatdgivesyouthelogdump

*********indicatesaCRASH uncaughtexceptionindicatesaJavacrash AutomizedwithasmallPythonscript...

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Validtestcaseinjection

SameasiPhoneexceptthesqlitecommandis:

/system/xbin/sqlite3line/data/data/com.android. providers.telephony/databases/mmssms.db'selectbodyfrom smswhereid=(selectMAX(_id)fromsms);'

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Androidisnotsturdy

ItiseasytomaketheSMSappunresponsive(infactit ishardnotto) Whenthingshang:

/data/busybox/killall9com.android.phone /data/busybox/killall9com.android.mms

Whenthingsarereallybroken(thisisalmostareboot):

/data/busybox/killall9system_server

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

WindowsMobileinjection

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Notsurprisingly

ThingsarealittledifferentinWindowsMobile Needallkindsofhacks appunlockdevice(registryhacks)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

MITMKernelStyle

Addnewserialdriver Driverprovidessameinterfaceasoriginaldriver Usesoriginaldrivertotalktomodem OpenTCPport4223 BuiltontopofWillemHengeveld'slogdriver

Thanksforyourhelp!

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

SMSinjection

SameasiPhoneandAndroid:)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Monitoring

DonewithIDAWindowsMobileremotedebugger Multipleprocessestomonitor

tmail.exeSMS/MMsappfromMicrosoft Manila2D.exeTouchFLOGUIfromHTC

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Somefuzzingresults

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Frompotentialbugtoattack

Notallbugsfoundthroughinjectioncanbesentoverthe phonenetwork

Testsendfuzzingresultsoverthenetwork Messagesthatgothrougharerealattacks EasytestingwhileloggedinviaSSH Awesomedemotoolviamobileterminal Notalloperatorsallowallkindsofmessages Maynotbeabletoattackpeopleonallnetworks

WebuiltasmallapplicationthatrunsontheiPhone

Testdifferentoperators

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Sendoverthenetwork

Open/dev/tty.debug Read/writeATcommandstosendmessage

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneSMSDoS

iPhone

CrashingCommCenterkicksphoneoffthenetwork Killsallothernetworkconnections(WiFi+Bluetooth) Phonecallinprogressisinterrupted! Repeatasnecessary LocksiPhone(userhasto:slidetounlock) BlocksiPhoneforabout15seconds

SpringBoardcrash

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

DiggingtheDoS

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

AndroidSMSDoS

DenialofServiceagainstcom.android.phonekicks Androidphoneoffthemobilephonenetwork Restartofcom.andoid.phonelocksSIMcardifSIM hasaPINset,phonecannolongerregisterwith network Attackissilent,userdoesnotseeorhearit Userisunreachableuntilhecheckshisphone!

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

DoS

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

WindowsMobileDoS

HTCTouch3G(WindowsMobile6.1)

Manil2D.exe(TouchFLObyHTC)crashes

Appdoesn'trestartaslongasthebadSMSisintheinbox TouchFLOinterfacewillnotrestart

Inthiscasethefixiseasy(ifyouknowwhattodo) JustdeletethebadSMSusingtheWindowsMobile SMSappinsteadofTouchFLO

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

WindowsMobileDoS

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

TheDemowedidatBlackHat

SendiPhoneCommCenterDoSSMSfor1hour

Onemessageevery10seconds

VictimwasnotabletousehisiPhoneduringthetalk andforabout2,5hoursafterthetalk

SMSmessagesqueuedupattheSMSC Everytimethephonecamebackonlineitgotthenext messagethatwaswaitingforhimbangofflineagain

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

iPhoneSMScodeexecsummary

I'mnotCharlie,Icanwriteexploitsbuthaven'tdoneit fortheiPhone. Thestory:

519SMS's(@1/sec),onlyoneshowsuptotheuser Cancontrolprogramcounter(PC) Couldonlybefoundwithsmartfuzzing

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

AndroidDoS

SendanySMStoport2948(WAPpush) Getjava.lang.ArrayIndexOutOfBoundsException Knocksphoneoffnetworkforafewseconds WorksonEuropeancarriers,notonAT&T

Bugwouldnothavebeenfoundifwehadtestedonlyin theUSandonAT&T!

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

ADBlogcatoutput

I/ActivityManager(56):Stoppingservice:com.android.mms/.transaction.TransactionService D/dalvikvm(7099):GCfreed2614objects/148896bytesin134ms W/AudioFlinger(35):writeblockedfor97msecs D/WAPPUSH(7085):Rx: 0606436b46673774261b69195d187d2b1610370c39456f5b3b58540e3c650b21542141630b6c214764240e707e5c533e0b1143090c4078de7770 5714193c1a2937066d75141c1835144753565d602f6a67152a7807106d35334a7214541774564925640a11335a3b30461145307d04df7b D/AndroidRuntime(7085):ShuttingdownVM W/dalvikvm(7085):threadid=3:threadexitingwithuncaughtexception(group=0x4000fe70) E/AndroidRuntime(7085):Uncaughthandler:threadmainexitingduetouncaughtexception E/AndroidRuntime(7085):java.lang.ArrayIndexOutOfBoundsException E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeExtensionMedia(WspTypeDecoder.java:200) E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeConstrainedEncoding(WspTypeDecoder.java:222) E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeContentType(WspTypeDecoder.java:239)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

WindowsMobileresults

FormatstringbuginManila2D.exe(TouchFLO) ThisistheuserinterfaceforHTCdevices Asimpletextmessagecontaining%ncrashes TouchFLO Formatstringshouldmakeitexploitable!

07919471173254F6040C91947167209508000099309251619580022537

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Conclusions

SMSisagreatvectorofattacksagainstsmartphones SMSfuzzingdoesn'thavetobelimitedbyequipment orcostofsendingSMS CaninjectSMSusingsoftwareonlybyMITMthe modem Canfindsomebugs,keeponfuzzing!

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

FirmwareUpdates

AndroidCRC1alsofixesourWAPpushDoSbug

Releasedabout2weeksafterwereportedthebug ONLYfixesourCommCenterbug:) ROMBuild1.00.19153530.00(thisistheHTCTouch3G) Haven'tfoundawaytodownload/installit:(

iPhoneOS3.0.1wasreleasedonJuly31th

HTCtoldusthebuginTouchFLOisfixed

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

Checkoutmynewtool:)

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone

TheEnd

Thanksto

CharlieMillerforbeingabercoolcoauthor:) WillemHengeveldforhisWinMobilelogdriver http://www.mulliner.org/security/sms/ collin@sec.tlabs.tuberlin.de

Toolsandslides

Contact

CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone