Vulnerability Development mailing list archives
Re: Nokia 7110 Wap Browser Hole
From: vos () TELENOR CZ (Vitaly Osipov)
Date: Fri, 21 Jul 2000 14:35:14 +0200
Mea culpa! :) i got impressed by all tech papers on wapforum.com and did not check it by myself. It came to very funny thing - seems like now all WAP is just pure application-layer thing consisting of WML and WAP gateways (+modem in the handset) over IP... :-S that's what I did - I took access number, login and password from phone WAP settings, connected phone to PC via infrared and simply dialed via "dialup networking"... The access number answered with PPP and MSCHAP - very funny :) After that I looked at the address I received - it was some 10.1.3.xxx - virtual address space. Gateway was something in mobile operator's network 160.218.xxx.xxx - actually it was some cisco - I even managed to connect to it by telnet... unfortunately I did not guess the password :) This cisco behave somewhat strange - at all my attempts to traceroute something the reply was - "destination network unreachable". I guess there could be some interesting things to play with, but I have some work to do too :) Now regarding scanning phones - as you have noticed, it's up to mobile operator how to set up his routing and address space. In my case it was private address space, which is quite good choice because a) you won't get scanned or in any way accessed from outside Internet and b) there is a lot of addresses in 10.x.x.x network - 2^24=about 16 million per one operator/one set of settings. In the case reported here earlier (with portscanning and phone hanged) the problem was (i guess) that mobile operator simply assigned public IP addresses to its WAP clients - very unwise solution... one more remark - the address of that cisco mentioned above was in the same network as dialup clients of mobile operator (i mean addresses assigned to computers dialing up some operator's number via mobile phones used as modem - Nokia 7110 e.g.) regards, Vitaly.
From: "Roelof Temmingh" <roelof () SENSEPOST COM>
On Thu, 20 Jul 2000, Vitaly Osipov wrote: +So i am very curious on what address you scanned to get the phone hung -
it
+really is very interesting. I (also?) made the mistake of scanning the WAP gateway (see my post on Nokia WAP GW), but I figured my cellphone is not running NetBIOS :))),
and
realised that I was scanning the GW. Then, I configured the WAP GW on my phone (Siemens S35) to an address that points to a server within my network, and did a tcpdump to see what IP
number
is sending requests to "my WAP GW". (UDP port 9201/2). This IP number corresponds with my cellphone. I pinged it, and it seems as though the pings times out when I drop the line. Not sure if this is
really the
phone...is it? Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Current thread:
- Re: Nokia 7110 Wap Browser Hole Tink (Jun 20)
- <Possible follow-ups>
- Re: Nokia 7110 Wap Browser Hole Kristjan Kristinsson (Jul 17)
- volcheck and sol 8 Matthew Potter (Jul 18)
- Re: Nokia 7110 Wap Browser Hole Ralph Moonen (Jul 18)
- Re: Nokia 7110 Wap Browser Hole Bluefish (Jul 18)
- Re: Nokia 7110 Wap Browser Hole Juan M. Courcoul (Jul 20)
- Re: Nokia 7110 Wap Browser Hole Tin Le (Jul 20)
- Re: Nokia 7110 Wap Browser Hole Bojan Zdrnja (Jul 21)
- Re: Nokia 7110 Wap Browser Hole Vitaly Osipov (Jul 20)
- Re: Nokia 7110 Wap Browser Hole Roelof Temmingh (Jul 20)
- Re: Nokia 7110 Wap Browser Hole Vitaly Osipov (Jul 21)
- Re: Nokia 7110 Wap Browser Hole Dave O Connor (Jul 21)
- Réf. : HELP with IE Network Problem... Francois.Perreault () VMD DESJARDINS COM (Jul 21)
- Re: HELP with IE Network Problem... Slawek (Jul 23)
- Re: Nokia 7110 Wap Browser Hole Bluefish (Jul 21)
- Re: Nokia 7110 Wap Browser Hole Tin Le (Jul 27)
- Re: Nokia WAP server. Tin Le (Jul 20)
- Re: Nokia 7110 Wap Browser Hole Tin Le (Jul 20)