Re: Nokia 7110 Wap Browser Hole

[vos () TELENOR CZ (Vitaly Osipov)]

Mea culpa! :) i got impressed by all tech papers on wapforum.com and did not
check it by myself. It came to very funny thing - seems like now all WAP is
just pure application-layer thing consisting of WML and WAP gateways (+modem
in the handset) over IP...   :-S

that's what I did - I took access number, login and password from phone WAP
settings, connected phone to PC via infrared and simply dialed via "dialup
networking"... The access number answered with PPP and MSCHAP - very funny
:)

After that I looked at the address I received - it was some 10.1.3.xxx -
virtual address space. Gateway was something in mobile operator's network
160.218.xxx.xxx - actually it was some cisco - I even managed to connect to
it by telnet... unfortunately I did not guess the password :) This cisco
behave somewhat strange - at all my attempts to traceroute something the
reply was - "destination network unreachable". I guess there could be some
interesting things to play with, but I have some work to do too :)

Now regarding scanning phones - as you have noticed, it's up to mobile
operator how to set up his routing and address space. In my case it was
private address space, which is quite good choice because a) you won't get
scanned or in any way accessed from outside Internet and b) there is a lot
of addresses in 10.x.x.x network - 2^24=about 16 million per one
operator/one set of settings.

In the case reported here earlier (with portscanning and phone hanged) the
problem was (i guess) that mobile operator simply assigned public IP
addresses to its WAP clients - very unwise solution...

one more remark - the address of that cisco mentioned above was in the same
network as dialup clients of mobile operator (i mean addresses assigned to
computers dialing up some operator's number via mobile phones used as
modem - Nokia 7110 e.g.)

regards,
Vitaly.

> From: "Roelof Temmingh" <roelof () SENSEPOST COM>

> On Thu, 20 Jul 2000, Vitaly Osipov wrote:
>
> +So i am very curious on what address you scanned to get the phone hung -
it
> +really is very interesting.
>
> I (also?) made the mistake of scanning the WAP gateway (see my post
> on Nokia WAP GW), but I figured my cellphone is not running NetBIOS :))),
and
> realised that I was scanning the GW.
>
> Then, I configured the WAP GW on my phone (Siemens S35) to an address that
> points to a server within my network, and did a tcpdump to see what IP
number
> is sending requests to "my WAP GW". (UDP port 9201/2).
>
> This IP number corresponds with my cellphone. I pinged it, and it seems as
> though the pings times out when I drop the line. Not sure if this is
really the
> phone...is it?
>
> Regards,
> Roelof.
>
> ------------------------------------------------------
> Roelof W Temmingh SensePost IT security
> roelof () sensepost com +27 83 448 6996
> http://www.sensepost.com