This is my short analysis of the latest OS for this mobile phone.
I flashed the latest version of the official firmware and connected the device via USB. There is the "USB mode" menu item in the phone's settings menu and I've set it to use the "USB network" mode. The phone uses several USB endpoints one of which is RNDIS (remote network interface adapter in Windows) -- it activates when you turn on the "USB network" in the phone's settings. The IP address was not automatically assigned for the "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface on my Windows XP PC. So I turned on the Internet Connection Sharing (ICS) for my Internet connection. "Sony-Ericsson Device 217 USB Ethernet Emulation (NDIS 5)" interface was automatically assigned with IP address 192.168.0.1 by Windows. This connection should provide the internet connection for the phone. Wireshark sniffing revealed alias name of that interface "MCCI(r) USB Driver Demo" LOL. So it is a demo driver )))
nmap phone scanning seems to be the most interesting part ;-).
Firstly, phone reboots when nmap scans its 139 port. What a shame for the Sony-Ericsson firmware writers.. So I had to omit the 139 port and the scan has been completed successfully discovering another open TCP port numbered 4035. I did not find out the what was the TCP/4035 port, the phone stopped listening on that port after nmapping it with a service scan twice.
The TCP/139 port seemed to be pretty interesting ;-)
I set the "Internet connections" -> "Allow local connections" to ON on the phone thus allowing it to connect to the internet through the computer's USB cable. I started the phone's browser and it did work to load the page using the computer's USB connection. Wireshark showed every packet and revealed that the phone randomly picked its IP address from the 192.168.0.0/24 subnet (possibly issued by the Windows XP DHCP server on the ICS interface). Wireshark also showed packets coming from 169.x.x.x phone's address. So the phone also picks up a random address from that subnet just like MS Windows do when there is no DHCP server: set up a random IP to be able to setup the network connectivity automatically between devices that behave the same way.
I set up the username, password and workgroup in the phone's "Network sharing" menu.
An attempt to list the phone's shares by entering its address "\\192.168.0.x" into Windows Explorer's address bar caused the phone to reboot (Sony-Ericsson drivers programmers should be ashamed). So I downloaded Samba for Windows package (http://www.smithii.com/files/plugins/z_samba.zip) and necessary Cygwin dlls (http://www.cygwin.com) and I listed the phone's shares using the smbclient. The phone provided access to shares named "Memory Stick" and "Phone Memory". I was able to connect to these shares and transfer few files and it was really slow comparing to the Windows Explorer's access to phone's files either in "Phone" mode or in "Mass Storage" mode. Btw, the phone notified when I connected to its shares. Later I tried to connect using the "net use" Windows command and I succeeded and the phone survived LOL.
Here's what smbclient told about the remote samba server:
Domain=[WORKGROUP] OS=[OSE] Server=[NQ 4.32]
Googling for "Sony-Ericsson OSE" revealed that "OSE" is the Sony-Ericsson's OS for the phones. I guess it is the "Operating System Sony-Ericsson" ;-)
So what we have is the samba server on the phone! %-) It may reboot the phone but it works! It looks weird, where are FTP and NFS servers?? %-)
The other point is that the samba server works on other phone's network interfaces: carrier (GPRS/EDGE/3G).. Yeah it is interesting solution: just input the \\phone's-ip in the Windows Explorer and access your phone's files using the carrier internet LOL. I guess we would need the DynDNS client for the phone to simplify the access %-)
The phone reboots after a simple scan of the TCP/139 port so the device is vulnerable to the DoS attacks and maybe even buffer overflow leading to unauthorized code execution.
It is also a security risk: if someone gets access to the device than he can set up the "Network sharing" username and password to be able to access files in the phone's memory or in the M2 card remotely via carrier's internet connection eventually.
Samba share would be accessible via the carrier connection after the following steps have been completed:
- The phone has "Network sharing"'s username and password set
- The phone has "USB mode" set to "Via computer"
- The phone is connected to the internet (browsing with the built-in browser is enough)
- The phone is connected via the USB in the "Phone" mode
After the last step have been completed the phone would start listening on a port TCP/139. It will accept samba connections both from the USB data connection and from the carrier's internet connection, too.
And the last thing I'd like to know..
Does Sony-Ericsson plan to implement the X11 server in their phones? %-)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment