Remote Code Execution on Windows Mobile Demonstrated
I posted a blog in May thatspoke about the potential for remote code execution on Windows CEdevices and the problems involved with patching. I also alluded to someresearch Symantec had been doing at the time. Well, at DefCon this pastweekend, Collin Mulliner demonstrated a remote code execution flaw viaMMS on Windows CE.
Collin's slides showhow he used a malformed MMS message to achieve arbitrary code executionon a device, simply by having a user view the message. This isobviously of great concern; Windows Mobile devices are becoming moreand more prevalent and the substantial challenges with patchingcontinue to exist.
At the end of 2005, the Symantec Advanced Threat Research teamperformed a detailed attack surface analysis of Windows CE 5. We took avery broad and a very deep look as to how attacks could target WindowsCE (and thus Windows Mobile) devices both from a remote perspective, aswell as a local privilege escalation perspective (CE 5 includes theconcept of trusted versus un-trusted applications). This researchincluded documenting all of the remote attack vectors that couldpotentially exist. During the course of the research, as you wouldexpect, we found a number of remote code execution flaws that could beleveraged in a malicious fashion. While we won't be disclosing thespecific flaws just yet, what we will discuss is the overall securityarchitecture of CE5, the types of vulnerabilities we discovered, howthese impact mobile devices, and what, if anything, people can do toprotect themselves. Please keep your eyes peeled for the announcementof when and where we will be presenting this research.