Professional Documents
Culture Documents
Collin Mulliner - Fuzzing The Phone in Your Phone
Collin Mulliner - Fuzzing The Phone in Your Phone
CollinMulliner
SecurityinTelecommunications
TUBerlin/TLabs collin@sec.tlabs.tuberlin.de
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Aboutme
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
MyCoAuthor
CharlieMiller
Claimtofame:
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Agenda
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMSShortMessageService
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMS
OTAconfiguration Ringtones
Buildingblockfortheessentialmobilephoneservice
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
WhypickonSMS?
Serversideattacksurfacewithnofirewall,a1990's flashback!
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
ThelifeofanSMSmessage
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Onthedevice
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Lookinginside
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
ContinuedlifeofanSMS
Theresultcodeandthenumberofbyesofthenextline TheactualSMSmessage(inPDUmode)
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
APDU
0791947106004034040D91947196466656F80000901082114215400AE8329BFD4697D9EC377D
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Butthereismore
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
UDHexample
050003000301
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
UDHexample
050003000301
Concatenatedmessages
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
OthercommonUDHIEIs
IEI01=voicemailindicator IEI05=portnumbers(applicationscanregisterthem)
Port5499=iPhonevisualvoicemail
Port2948=WAPpush
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
PDUSpy
http://www.nobbi.com/pduspy.html
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
FuzzingSMS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Fuzzing101
Createmalformedinput
Takeexistinginputandmutateit Createinputsfromscratch(fromRFC,forexample)
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Unmannedfuzzingexploration
Theultimategoalofafuzzingharnessiscomplete automation
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Creatingtestcases
CantakesomesamplePDUsandmutate
Thesearen'texactlyeasytofind!
ThisishowCharliedidit ThisishowIdidit
BuildaSMScraftinglibrarytogeneratemessages
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMScraftinglibrary
SupportSMS_DELIVERandSMS_SUBMIT
UDHsupport,IEIs:
AllPDUfieldscanbeautofilledorsetbyhand!
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SomeSMStestcases
Multipartmessages Portaddressing
UDHbomb
Voicemailindication
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMSlibrary
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Sendingthetestcases
Couldsendovertheair
Couldbuildyourowntransmitter
Couldinjectintotheprocesswhichparses
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMSinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMSinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
GetSMSsniffingforfree
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Speakingoffree...
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneSMSfunfact
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneSMS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
ManintheMiddle
UseLibraryPreloadingtohookbasicAPI com.apple.CommCenter.plist:
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Open(highlights)
#defineFD3/tmp/fuzz3.sock Intopen(constchar*path,intflags,) { real_open=dlsym(RTLD_NEXT,open); if((strncmp(/dev/dlci.h5baseband.3,path,23)==0|| (strncmp(/dev/dlci.spibaseband.3,path,24)==0)){ structsockaddr_unsaun; fd=socket(AF_UNIX,SOCK_STREAM,0); saun.sun_family=AF_UNIX; strcpy(saun.sun_path,FD3); intlen=offsetof(structsockaddr_un,sun_path)+strlen(FD3); connect(fd,&saun,len); fd3=fd; }else{ fd=real_open(path,flags); } returnfd; }
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Theinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SendingPDUs
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Detectingcrasheswith CrashReporter
defcheck_for_crash(test_number,ip): Commcenter='/private/var/logs/CrashReporter/ LatestCrash.plist' Springboard='/private/var/mobile/Library/Logs/ CrashReporter/LatestCrash.plist' command='sshroot@'+ip+'cat%s2>/dev/null;cat%s 2>/dev/null'%(commcenter,springboard) c=os.popen(command) crash=c.read() ifcrash: clean_clogs() printCRASHwith%d%test_number printcrash time.sleep(60) else: print'.', c.close()
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Finalchecks
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneIEIsupport
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Androidinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Androidfuzzingfunfact
ProcesswhichhandlesSMSisaJavaapp:(
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
AndroidMITM
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Sendingtestcases
IdenticaltoiPhonecase,useTCP4223
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Crashmonitoring
MonitoroutputofADB(AndroidDebugBridge)
logcatdgivesyouthelogdump
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Validtestcaseinjection
SameasiPhoneexceptthesqlitecommandis:
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Androidisnotsturdy
/data/busybox/killall9com.android.phone /data/busybox/killall9com.android.mms
Whenthingsarereallybroken(thisisalmostareboot):
/data/busybox/killall9system_server
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
WindowsMobileinjection
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Notsurprisingly
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
MITMKernelStyle
Thanksforyourhelp!
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
SMSinjection
SameasiPhoneandAndroid:)
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Monitoring
DonewithIDAWindowsMobileremotedebugger Multipleprocessestomonitor
tmail.exeSMS/MMsappfromMicrosoft Manila2D.exeTouchFLOGUIfromHTC
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Somefuzzingresults
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Frompotentialbugtoattack
Notallbugsfoundthroughinjectioncanbesentoverthe phonenetwork
WebuiltasmallapplicationthatrunsontheiPhone
Testdifferentoperators
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Sendoverthenetwork
Open/dev/tty.debug Read/writeATcommandstosendmessage
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneSMSDoS
iPhone
SpringBoardcrash
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
DiggingtheDoS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
AndroidSMSDoS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
DoS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
WindowsMobileDoS
HTCTouch3G(WindowsMobile6.1)
Manil2D.exe(TouchFLObyHTC)crashes
Appdoesn'trestartaslongasthebadSMSisintheinbox TouchFLOinterfacewillnotrestart
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
WindowsMobileDoS
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
TheDemowedidatBlackHat
SendiPhoneCommCenterDoSSMSfor1hour
Onemessageevery10seconds
VictimwasnotabletousehisiPhoneduringthetalk andforabout2,5hoursafterthetalk
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
iPhoneSMScodeexecsummary
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
AndroidDoS
Bugwouldnothavebeenfoundifwehadtestedonlyin theUSandonAT&T!
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
ADBlogcatoutput
I/ActivityManager(56):Stoppingservice:com.android.mms/.transaction.TransactionService D/dalvikvm(7099):GCfreed2614objects/148896bytesin134ms W/AudioFlinger(35):writeblockedfor97msecs D/WAPPUSH(7085):Rx: 0606436b46673774261b69195d187d2b1610370c39456f5b3b58540e3c650b21542141630b6c214764240e707e5c533e0b1143090c4078de7770 5714193c1a2937066d75141c1835144753565d602f6a67152a7807106d35334a7214541774564925640a11335a3b30461145307d04df7b D/AndroidRuntime(7085):ShuttingdownVM W/dalvikvm(7085):threadid=3:threadexitingwithuncaughtexception(group=0x4000fe70) E/AndroidRuntime(7085):Uncaughthandler:threadmainexitingduetouncaughtexception E/AndroidRuntime(7085):java.lang.ArrayIndexOutOfBoundsException E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeExtensionMedia(WspTypeDecoder.java:200) E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeConstrainedEncoding(WspTypeDecoder.java:222) E/AndroidRuntime(7085): at com.android.internal.telephony.WspTypeDecoder.decodeContentType(WspTypeDecoder.java:239)
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
WindowsMobileresults
07919471173254F6040C91947167209508000099309251619580022537
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Conclusions
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
FirmwareUpdates
AndroidCRC1alsofixesourWAPpushDoSbug
iPhoneOS3.0.1wasreleasedonJuly31th
HTCtoldusthebuginTouchFLOisfixed
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
Checkoutmynewtool:)
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone
TheEnd
Thanksto
Toolsandslides
Contact
CollinMulliner26c3Dec2009FuzzingthePhoneinyourPhone