Remote Code Execution on Windows Mobile Demonstrated
I posted a blog in May that spoke about the potential for remote code execution on Windows CE devices and the problems involved with patching. I also alluded to some research Symantec had been doing at the time. Well, at DefCon this past weekend, Collin Mulliner demonstrated a remote code execution flaw via MMS on Windows CE.
Collin's slides show how he used a malformed MMS message to achieve arbitrary code execution on a device, simply by having a user view the message. This is obviously of great concern; Windows Mobile devices are becoming more and more prevalent and the substantial challenges with patching continue to exist.
At the end of 2005, the Symantec Advanced Threat Research team performed a detailed attack surface analysis of Windows CE 5. We took a very broad and a very deep look as to how attacks could target Windows CE (and thus Windows Mobile) devices both from a remote perspective, as well as a local privilege escalation perspective (CE 5 includes the concept of trusted versus un-trusted applications). This research included documenting all of the remote attack vectors that could potentially exist. During the course of the research, as you would expect, we found a number of remote code execution flaws that could be leveraged in a malicious fashion. While we won't be disclosing the specific flaws just yet, what we will discuss is the overall security architecture of CE5, the types of vulnerabilities we discovered, how these impact mobile devices, and what, if anything, people can do to protect themselves. Please keep your eyes peeled for the announcement of when and where we will be presenting this research.