Vulners
Lucene search
WAP Push SI Impersonation
`Security Advisory: Multiple Smartphones SMS Sender Obfuscation via WAP Push
SI
------------------------------------------------------------------------------
Discovered by: Michael Mueller a.k.a. c0rnholio
Contact: c0rnholio on domain netcologne.de
Advisory Homepage: http://www.silentservices.de/adv03-2009.html
Vendor Status: not contacted
Fixes / Workarounds: none known
Discovery Date: June, 2008
Public Disclosure: 11.09.2009
Description:
------------
WAP Push SI (Service Indication) is a special service SMS which allows
operators or everyone else to provide an easy way for alerting the
smartphone user about new services or online resources. (see specification
WAP-167 for further details)
Some Smartphones fail to properly display the originator of this kind of
message which leads to a sender obfuscation.
Impact:
-------
This attack can be used in combination with social engineering to mislead
the recipient to access the resource specified in the WAP Push SI message
(usually an online resource).
In addition this attack can be used to send spam and hate SMS.
Tested Devices:
---------------
The following devices have been tested and found vulnerable for this kind of
attack:
It is very likely that other devices and vendors are also vulnerable to this
attack.
- Blackberry (Tested on BB 8800, Firmware: 4.5.0.37)
The BlackBerry fails to report the correct originating number and display
the number of the SMS service center as originator of the message
- Windows Mobile (Tested on WM5, WM6, WM6.1, WM6.5)
A Windows Mobile driven device fails to properly display the originating
number and displays whatever information is defined in the
X-WAP-Initiator-URI field.
- Sony Ericsson W890i, W810i
The Sony Ericsson W890i and W810i device fails to properly display the
correct originating number and displays a default string instead.
- Motorola RazrV3
The Motorola RazrV3 device fails to properly display the correct originating
number and displays a default string instead.
PoC:
----
The following PDU can be sent to an affected device:
UDH: 05 04 0b 84 23 f0
Message:
dc 06 11 ae af 82 b4 83 b1 45 76 69 6c 20 48 34 78 30 72 00 02 05 6a 00 45
c6 0c 03 77 77 77 2e 73 69 6c 65 6e 74 73 65 72 76 69 63 65 73 2e 64 65 2f
61 64 76 30 33 2d 32 30 30 39 2e 68 74 6d 6c 00 01 03 67 6f 74 20 72 30 30
74 3f 00 01 01
The above PDU will display as follows (example on Windows Mobile target):
Sender: Evil H4x0r
Subject: got r00t?
Message: http://www.silentservices.de/adv03-2009.html
Use pduspy to send it. In addition HushSMS Version 1.0 will be available
soon for Windows Mobile devices for further tests.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Sep 2009 00:00Current