May 27th, 2008
Motorola RAZR vulnerable, what's up with Motorola's update process?
Update 05/27/2007: One of the comments in the talkbacks (thanks kd5auq!)mentioned that there is no patch to be downloaded for AT&T based Motorola RAZR phones. I’ve no idea if Motorola currently or formerly supported AT&T based RAZRs, as I’m an iPhone kinda guy, but I’d be curious to see if anyone else has noticed this, knows if AT&T phones are vulnerable, is a Motorola rep that wishes to comment, or has had similar issues getting a patch for your phone. Also, I added two polls to the end of the article, feel free to contribute!
A sexy mobile vulnerability was released today by ZDI that really caught my attention. Here are the details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable Motorola RAZR firmware based cell phones. User interaction is required to exploit this vulnerability in that the target must accept a malicious image sent via MMS.
The specific flaw exists in the JPEG thumbprint component of the EXIF parser. A corrupt JPEG received via MMS can cause a memory corruption which can be leveraged to execute arbitrary code on the affected device.
– Vendor Response:
Motorola states:
Together, ZDI and Motorola have identified a potential vulnerability related to viewing malicious, manipulated JPEG files affecting select RAZR-series devices. Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases.To ensure that you have the latest software load available for your device, please visit:
http://direct.motorola.com/hellomoto/NSS/update_my_software.asp
So, what’s a real bummer about this, and this is why I hate the disclosure brokers, is that no proof of concept code is released, leaving us with some real questions about the vulnerability. Motorola says in the ZDI release:
“Although the possibility of this vulnerability occurring is very remote and would only occur in unique circumstances, Motorola proactively corrected it in all new device releases.”
Ok, what’s the details then? Why’s it so tough to exploit? It sounds pretty straightforward, user accepts malicious image sent through MMS, get’s pwned. What’s so tough about that? One-click to pwnage. It’s sent with an MMS, so you could adapt your approach. Maybe you send it attempting to look like a popular bank, telling someone it’s an image of their bank statement. My message to Motorola is that if you say it is not an issue, back up why it is not an issue, don’t leave us grasping at thin air for your reasoning.
Worse yet, I went to check out the Motorola update page, hoping they’d have more details (they did not), and I decided to enter in some fake information to see what there response was for a given phone. I said I used t-mobile and had a Motorola RAZR phone, this is what was presented to me:
Motorola Software Update provides the latest approved software for devices in warranty. Please enter your date of purchase to determine warranty status.
Date entered here…
You will be prompted if a backup and restore of your device is warranted. If a backup and restore is warranted, during the software update, all third-party media, including but not limited to, music, pictures, ringtones, and screensavers, will be deleted. You will need to reload all third-party media after the software update. Third party applications and some custom settings CANNOT be automatically restored after the device has been updated. Please note that during the update, you will have the opportunity to save your personal data.
Umm… so, apparently, I only get to be protected from this flaw if my phone is still under warranty. Could someone with a Motorola RAZR or from Motorola please confirm whether this is the case? If so, this is ridiculous.
Loading ... Loading ...-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
