Posted on October 22nd, 2011

Vendor: Microsoft
Product: Windows Mobile
Vulnerability: Double Free
Tested vulnerable versions: Windows Mobile 6.1 and 6.5
Tested on : HTC Touch (WM 6.1), HTC Touch2 (WM 6.5)
CREDITS: Celil Ünüver from SignalSEC

Vulnerability Details and Analysis:

The vulnerability is a double free. It occurs when multiple buffers are allocated to handle a very large Name (N) field in the vCard (.vcf) file. This file can be received by MMS or Bluetooth.
After opening the malformed vcf file, it gives an error dialog. Then it frees the buffers and crashes;

pimutil.dll
pim

*As you see that the pointer at [R4 + 0x14] is passed to SysFreeString() twice.

crash
*The code at location 0271E4F4 is attempting to extract the ‘size’ from the heap chunk header.

Exploiting:
Double Frees are usually exploitable but in this case it doesnt look simple. The calls to free() occurs in immediate succession. WinCE supports multi-threading, but this is an extremely hard case to try.. I do not have deep knowledge about WinCE heap structures. So it may be denial of service but I think it can be possible to exploit this vulnerability. (impossible is nothing ! )

Proof of Concept:
www.securityarchitect.org/exploits/wmpoc.vcf

Vendor-Patch Status: It’s 0day :]

Actually I contacted Microsoft but they said ; “we fixed this issue on WM 6.5 version and we can not publish a bulletin for it” But i m sure that it is not fixed on 6.5 version. I’ve tested it on several devices which have WM 6.5. Also I’ve tested it on WM 6.5 Professional Emulator (which can be downloaded from MS Pages) , it crashes too….

Last Words: We are not dead , just busy !

Reply