MMS Notification Obfuscation

`Security Advisory: Multiple Smartphones MMS Notification Sender Obfuscation  
---------------------------------------------------------------------------  
  
Discovered by: Michael Mueller a.k.a. c0rnholio  
Contact: c0rnholio on domain netcologne.de  
Advisory Homepage: http://www.silentservices.de/adv04-2009.html  
Vendor Status: not contacted  
Fixes / Workarounds: none known  
Discovery Date: June, 2008  
Public Disclosure: 11.09.2009  
  
Description:  
------------  
A MMS Notification is part of the MMS communication flow. Usually an   
originator sends and mms via a service provider (SP). After uploading the   
message to the SP, the recipient gets a MMS notification from the SP with   
information like originator, subject and URL of the content. In some mobile   
carrier networks it is allowed to send MMS notifications directly from one   
mobile unit to another.  
  
Some Smartphones fail to properly display the originator of this kind of   
message which leads to a sender obfuscation.  
  
Impact:  
-------  
This attack can be used in combination with social engineering to mislead   
the recipient to access the resource specified in the content URL of the MMS   
notification message. If the receiving device MMS client is configured   
improperly this could lead to automatically download whatever content is   
specified in the content URL. MMS clients which do not allow access to   
content URLs other that the providers MMS proxy should be safe from the   
content, but are still vulnerable to the sender obfuscation.  
  
In addition this attack can be used to send spam and hate SMS.  
  
  
Tested Devices:  
---------------  
The following devices have been tested and found vulnerable for this kind of   
attack:  
It is very likely that other devices and vendors are also vulnerable to this   
attack.  
  
- Blackberry (Tested on BB 8800, Firmware: 4.5.0.37)  
The BlackBerry fails device fails to properly display the originating number   
and displays whatever information is defined in the originator and the   
subject field of the MMS notification.  
  
- Windows Mobile (Tested on WM5, WM6, WM6.1, WM6.5)  
A Windows Mobile driven device fails to properly display the originating   
number and displays whatever information is defined in the originator and   
the subject field of the MMS notification.  
  
- Sony Ericsson W890i, W810i  
The Sony Ericsson W890i and W810i device fails to properly display the   
correct originating number and displays whatever information is defined in   
the originator and the subject field of the MMS notification.  
  
  
PoC:  
----  
The following PDU can be sent to an affected device:  
  
UDH: 05 04 0b 84 23 f0  
Message:  
7c 06 03 be af 84 8c 82 98 31 32 33 34 00 8d 90 89 0e 80 45 76 69 6c 20 48   
34 78 30 72 00 96 67 6f 74 20 72 30 30 74 3f 00 8a 80 8e 01 56 88 05 81 03   
09 3a 80 83 63 68 65 63 6b 20 79 6f 75 72 20 6d 6d 73 20 63 6c 69 65 6e 74  
  
The above PDU will display as follows (example on Windows Mobile target):  
  
Sender: Evil H4x0r  
Subject: got r00t?  
  
Use pduspy to send it. In addition HushSMS Version 1.0 will be available   
soon for Windows Mobile devices for further tests.  
  
  
  
  
  
`