Re: Nokia 7110 Wap Browser Hole

[vos () TELENOR CZ (Vitaly Osipov)]

Hi,

I am not a specialist in WAP and underlying protocols, but AFAIK there is
_no_ IP in this stack and phones _do not_ have IP addresses - their
connectivity to wap servers is done via WAP gateways (which have IP because
they have to connect to wap servers, of course). Those gateways act as
network-layer gateways, converting some GSM bearer protocols into TCP/IP.
Phones itself have only so-called MSISDN (Mobile Subscriber ISDN).

So i am very curious on what address you scanned to get the phone hung - it
really is very interesting.

Regards,
Vitaly.

----- Original Message -----
From: "Kristjan Kristinsson" <doze () COREDUMP CX>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, July 17, 2000 11:09 AM
Subject: Re: Nokia 7110 Wap Browser Hole

> On Sat, Jul 15, 2000 at 12:47:17PM +0200, Kristjan Kristinsson wrote:
> > To continue being of topic, most wap phones hangs when being
portscanned,
> > including most nokia 7110's. But since you need the ad of the phone when
> > it's connected to the net, and this can be pretty tricky to get most
people
> > should not be to worried.
> >
> > file://doze (yeah, should win a price in excessive quoting)
> >
> >
> > On Thu, Jul 13, 2000 at 01:02:47PM +0100, Aidan O'Kelly wrote:
> > > Ok, so this may be slighly off topic for this forum, but I though id
post it
> > > anyway.
> > >
> > > The nokia 7110 wap browser will happily pass form varibles that were
entered
> > > once to another site later on (in the same session? Not sure how long
it
> > > stores them for)
> > >
> > > The problem is that the Nokia recognises forms and passes the values
it used
> > > before to text/password boxes etc.
> > >
> > > So if you had a login form on one website. that had an input box,
> > > type=test/password and name=userid, once you enter your userid, the
nokia
> > > stores it in a varible called $userid. If the user surfs to another
site
> > > with a text box of the same name it will put $userid into it.
> > > Its not hard to guess what the varibles from other sites would be
called,
> > > and its possible to get the phone to submit the form without ever even
> > > seeing it(using cards and on timer events) so information could be
gathered.
> > > afaik it applys to the real phone aswell(I dont have one, but Im 99%
sure it
> > > works, the phone defintly fills in the values, cant check if it does
it for
> > > different hosts, but the 7110 simulator is pretty accurate.)
> > >
> > > Can anyone confirm this? or find out how long it stores the varibles
for?
> > > (id imagine till you turn the phone off, or disconnect from the net)
> > >
> > > I wonder if the nokia sets any other varibles itself.....
> > >
> > > Anyway, sorry if this is off topic.
> > > Aidan
> >
> > --
> >
> > [doze] .:. [security.is staff] .:. [khrome] .:. [coredump.cx adm!]
> >   - [doze () coredump cx] - [doze () security is] -       .    ,!.    .
> > [http://doze.coredump.cx] - [http://doze.bsd.at]        ,j't.
> > [http://doze.security.is] - [http://doze.hack.pl]    K=-=:: -=->
> >                                                       "=i.: [-'
> > pgp fingerprint:                                       /;:":.\
> > C986 986B 1420 8E21 2B52  F03E 87EE 6228 02B8 7900  . ;}'   '(, .
>
> --
>
> [doze] .:. [security.is staff] .:. [khrome] .:. [coredump.cx adm!]
>   - [doze () coredump cx] - [doze () security is] -       .    ,!.    .
> [http://doze.coredump.cx] - [http://doze.bsd.at]        ,j't.
> [http://doze.security.is] - [http://doze.hack.pl]    K=-=:: -=->
>                                                       "=i.: [-'
> pgp fingerprint:                                       /;:":.\
> C986 986B 1420 8E21 2B52  F03E 87EE 6228 02B8 7900  . ;}'   '(, .