Home Hacking Alert! First Double Free Vulnerability in Windows Mobile

Alert! First Double Free Vulnerability in Windows Mobile

Vendor:  Microsoft

Product:  Windows Mobile

Vulnerability:  Double Free

Tested vulnerable versions:  Windows Mobile 6.1 and 6.5

Tested on :  HTC Touch (WM 6.1), HTC Touch2 (WM 6.5)

CREDITS:  Celil Ünüver from SecurityArchitect.Org

CONTACT:  celilunuver[n0sp4m]

Vulnerability Details and Analysis:

The vulnerability is a double free. It occurs when multiple buffers are allocated to handle a very large Name (N) field in the vCard (.vcf) file. This file can be received by MMS or Bluetooth.
After opening the malformed vcf file, it gives an error dialog. Then it frees the buffers and crashes;


*As you see that the pointer at [R4 + 0x14] is passed to SysFreeString() twice.


*The code at location 0271E4F4  is attempting to extract the ‘size’ from the heap chunk header.

Double Frees are usually exploitable but in this case it doesnt look simple. The calls to free() occurs in immediate succession. WinCE supports multi-threading, but this is an extremely hard case to try.. I do not have deep knowledge about WinCE heap structures. So it may be denial of service but I think it can be possible to exploit this vulnerability. (impossible is nothing ! :P)

Proof of Concept:

Vendor-Patch Status: It’s 0day :]

Actually I contacted Microsoft but they said ; “we fixed this issue on WM 6.5 version and we can not publish a bulletin for it” But i m sure that it is not fixed on 6.5 version. I’ve tested it on several devices which have WM 6.5. Also I’ve tested it on WM 6.5 Professional Emulator (which can be downloaded from MS Pages) , it crashes too….

Last Words: We are not dead , just busy !

Greets to: SecurityArchitect Members (Ulascan) , Hellcode, murderkey …

 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn
6 Comments  comments 

6 Cevap

  1. mkey

    go go go ! 😎

  2. […] This post was mentioned on Twitter by Jeff Jarmoc, YO9FAH and Chae Jong Bin, Celil ÜNÜVER. Celil ÜNÜVER said: 0day! Windows Mobile Double Free Vulnerability! + binary analysis –> […]

  3. t

    nice bug, congrats!

  4. Celil

    thanx guys ;]

  5. n4t1x

    nice analysis, thx!

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir