WO2010048777A1 - Method for excavating multimedia message protocol vulnerability and system thereof - Google Patents

Method for excavating multimedia message protocol vulnerability and system thereof Download PDF

Info

Publication number
WO2010048777A1
WO2010048777A1 PCT/CN2009/001169 CN2009001169W WO2010048777A1 WO 2010048777 A1 WO2010048777 A1 WO 2010048777A1 CN 2009001169 W CN2009001169 W CN 2009001169W WO 2010048777 A1 WO2010048777 A1 WO 2010048777A1
Authority
WO
WIPO (PCT)
Prior art keywords
mms
message
target device
data packet
analog
Prior art date
Application number
PCT/CN2009/001169
Other languages
French (fr)
Chinese (zh)
Inventor
张玉清
杨丁宁
宋杨
徐鹏
肖晖
Original Assignee
中国科学院研究生院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国科学院研究生院 filed Critical 中国科学院研究生院
Publication of WO2010048777A1 publication Critical patent/WO2010048777A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/03Protocol definition or specification 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/58Message adaptation for wireless communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • Multimedia message protocol vulnerability mining method and system thereof Multimedia message protocol vulnerability mining method and system thereof
  • the invention relates to a protocol vulnerability mining method and a system thereof, in particular to a multimedia message protocol vulnerability mining method and system thereof, and belongs to the technical field of software engineering. Background technique
  • Smartphones have become popular personal electronics in modern society. According to research forecasts, the smartphone market will continue to grow in the next few years. Global shipments will grow from 80.5 million in 2006 to 125 million in 2009. At that time, smartphones will grow to 16% of the global mobile phone market. On the other hand, smartphones are gradually enhanced, and now they can be used in complex applications such as Internet access, video on demand, stock trading, electronic conferencing and document processing. However, what comes with it is that mobile phone security issues are getting worse. At present, the number of malicious code on mobile phones has reached more than 1,000. Especially in the past two years, the growth rate of mobile phone viruses is almost 10 times that of PC viruses. What is especially serious is that more and more mobile phone viruses are beginning to use mobile phone platform vulnerabilities to attack, causing greater damage and impact.
  • the hardware processing power of smartphones is far less than that of PCs, which puts higher demands on software running on mobile platforms.
  • the calculation may be completed quickly on the PC, but it takes a long time to get the execution result on the mobile platform. Therefore, the vulnerability mining analysis tools under many PC platforms are difficult to port to mobile platforms, such as IDA Pro, which also imposes many restrictions on vulnerability mining technology.
  • the PC platform generally runs on an open TCP/IP network, which is very convenient for security vulnerability testing.
  • the MMS service network of the smartphone is mainly based on the mobile communication system, which is a closed network system, MMS service gateway, MMS.
  • the servers are all located on the carrier's internal network and cannot be used for testing. It is impossible to build a test environment under the mobile platform through the network.
  • the actual price of sending MMS messages is relatively high. In the process of excavating MMS vulnerabilities, it is often difficult to bear the cost of MMS sending, which is not cost-effective. Summary of the invention
  • the object of the present invention is to design a practical and effective MMS protocol vulnerability mining technology, construct a set of simulated MMS sending and receiving environment, and solve the difficulties and problems in the current security vulnerability analysis on the target device adopting the MMS protocol, thereby adopting MMS.
  • the MMS service under the target device of the protocol performs vulnerability mining, especially the vulnerability testing and mining of the MMS protocol of the smartphone platform.
  • the technical solution of the present invention is a method for mining a multimedia message protocol vulnerability, and the steps are as follows:
  • the MMS message includes a MMS notification message and a MMS content message;
  • the vulnerability of the MMS notification message to be tested includes: X-Mms-Transaction-ID, X-Mms-Content-Location > From, Subject;
  • the vulnerability to be tested includes: X-Mms-Transaction-ID, X-Mms-Content-Location, From, Subject, Content-Type, To, Cc, Bcc, Message-ID, Content-ID, ContentLocation.
  • the data types of the fields in the MMS message include: an integer type and a string type.
  • the malformed data packet includes but is not limited to one or several types of the following data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet, special character exception type malformed data packet, formatted string type Malformed data packet.
  • the configured malformed data packet is sent to the target device.
  • the method is as follows: The short message service center uses the MMS notification message Fuzzing test tool to send a multimedia message notification to the target device, and the target device's tmail.exe monitors the MMS notification message through the SMS, and simultaneously monitors the MMS notification message on the UDP port 2948.
  • the method for sending the constructed malformed data packet to the target device is:
  • the target device constructs a corresponding WSP/WTP GET request according to the server address of the MMS content in the MMS notification, and sends the corresponding WSP/WTP GET request to the set analog WAP gateway;
  • the analog WAP gateway converts the WSP/WTP GET request into an HTTP GET request and sends it to the analog multimedia information service center specified therein;
  • the analog multimedia information service center sends the malformed multimedia message content back to the target device according to the GET request.
  • the abnormal response includes a timeout when a new MMS notification message is sent, a timeout is not received by the target device, an error message is displayed on the target device screen, or the target device cannot respond to the user's operation;
  • the MMS protocol vulnerability of the target device is determined to include Determine the type, location, cause, and severity of the MMS protocol vulnerability for the target device.
  • a multimedia message protocol vulnerability mining system comprising a WAP gateway, an analog multimedia information service center, an MMS message generator, a target device for using a multimedia message protocol, and an analog short message service center;
  • the connection relationship is: the analog multimedia information center passes through a local area network Connecting to the WAP gateway; the target device adopting the MMS protocol is connected to the analog multimedia information center, the WAP gateway, and the analog short information service center through a local area network;
  • the WAP gateway is responsible for converting a WAP request of a target device using the MMS protocol into an HTTP request, and transmitting the request to the designated analog multimedia information service center therein;
  • the analog multimedia information service center is used to simulate a multimedia message server function in a real MMS service network
  • the MMS message generator is configured to generate a malformed data packet for testing a multimedia message content message, and send the test data packet to a specified directory of an HTTP server running on the analog multimedia information center;
  • the target device adopting the MMS protocol configures the MMS sending and receiving settings, sets the WAP gateway as the simulated WAP gateway address in the test environment, and sets the server address as the address of the analog multimedia information service center in the test environment;
  • the analog short message service center is configured to generate a malformed data packet or a multimedia message notification message used in the MMS notification message test.
  • the server where the analog multimedia information service center is located is an Apache HTTP server, wherein the Apache HTTP server is added with a MIME type for supporting a type file of the mms extension; the MMS message generator is for MMS message generation based on MMSLib. Device.
  • the malformed data packet includes but is not limited to one or several types of the following data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet, special character exception type malformed data packet, formatted string type Malformed data packet.
  • the present invention mainly adopts a vulnerability mining technology based on the Fuzzing test to solve the problem.
  • Fuzzing technology is an automated security vulnerability mining technology. It does not need to know the specific implementation details of the tested object. It only needs to construct a large amount of semi-effective data or files as input, and then it can find out the existence of the test object according to the corresponding response. Security breach.
  • the present invention constructs a set of analog MMS transceiver platform, which performs the WAP gateway, the multimedia message server and the short message server in the actual operation environment of the MMS service.
  • the whole system is economical and practical, and has high feasibility. Combined with Fuzzing test technology, it provides an effective and effective solution for MMS service vulnerability exploitation under the smartphone platform.
  • the invention firstly proposes a technical scheme for exploiting the vulnerability of the MMS protocol using the Fuzzing technology under the smart phone platform, and completely implements a set of MMS protocol vulnerability mining system in the engineering, the system runs through the LAN pair of the TCP/IP protocol.
  • the telecom operator's proprietary MMS service network was fully simulated. Based on this, the above technical solutions were used to exploit the MMS protocol. After using the system to exploit the current MMS protocol, two integer overflow vulnerabilities and eight ultra-long string vulnerabilities were discovered, including five unpublished vulnerabilities, which were discovered for the first time. This fully demonstrates the effectiveness of the vulnerability mining method and its system. At the same time, the technical solution of the present invention can be applied to other target devices using the MMS protocol for vulnerability testing and mining.
  • Figure 1 is a specific implementation flow chart of the Fuzzing test
  • Figure 2 is a vulnerable test point of the MMS notification message
  • Figure 3 is a vulnerable test point of the MMS content message
  • FIG. 4 is a simulation running environment diagram of a multimedia message notification message
  • Figure 5 is a Fuzzing test tool running interface for a MMS notification message
  • Figure 6 is a simulation running environment diagram for MMS content message testing
  • Figure 7 is a system connection diagram of the present invention in which the solid arrow is interconnected using a wired LAN operating TCP/IP protocol and the dashed arrows are interconnected using a wireless local area network.
  • FIG 1 shows the implementation of the Fuzzing test used to exploit the vulnerability of the MMS service.
  • MMS protocol the Multimedia Messaging Service Encapsulation Specification provided by the Open Mobile Alliance (OMA), which will not be described here.
  • OMA Open Mobile Alliance
  • the second is to determine the vulnerability points to be tested, and to construct the malformed data according to the vulnerability.
  • the malformed data is designed to be a legal MMS protocol packet.
  • the difference from the normal packet is that one or more specified fields in the malformed data. Specially constructed, these specially constructed fields are considered to be vulnerable points that could trigger security holes.
  • the constructed MMS data packet can be sent to exploit the vulnerability of the MMS service.
  • the MMS service test under the smartphone platform is mainly for testing the local smart phone terminal. Therefore, the MMS message tested is mainly a MMS notification message (M-Notification.ind) and a MMS content message (MR e tri eve . COn f) sent to the terminal handset. Based on the field definitions of the MMS notification message and the MMS content message, it can be determined that they have vulnerable test points as shown in FIGS. 2 and 3.
  • the test data can be constructed according to the following rules: (1)
  • the field type is an integer: the integer overflow type malformed data packet can be constructed by setting different special values, namely: very small numbers, For example, -1, 0, 1, 2, 10, 20, 30, etc.; very large numbers, such as Oxffff, 0x7fff, Ox, fff, etc.; values near the range of values, such as 2 8 , 2 8 -1 , 2 8 +1 , 2 16 , 2 24 or 2 31 etc.
  • the field type is a string: Constructs a super-long string overflow type malformed packet, that is, constructs a long-length string to check whether there is a buffer overflow vulnerability; constructs a special character exception type malformed packet, that is, whether the special character check is mixed Exception handling failure vulnerability; construct a formatted string type malformed packet, that is, add a similar substring such as "%n" to test for the existence of a format string vulnerability; if the field represents a file name, you can also add "../" To determine if there is a directory spanning vulnerability.
  • the test environment of the MMS notification message is set up.
  • FIG. 4 is a simulation running environment for sending a local MMS notification message built by the present invention.
  • the GSM network of the mobile operator is replaced by a wireless local area network, and the constructed malformed MMS notification message is sent to the smart phone terminal by using the PC analog short message service center.
  • the running process is as follows:
  • the smartphone terminal supports the wireless LAN function.
  • the Dopod 818 pro is used in the simulation environment built in Figure 4.
  • the smart phone terminal connects to the wireless local area network through the wireless router, and realizes UDP protocol communication with the PC-side analog short message service center.
  • the tmail.exe of the smartphone terminal not only monitors the MMS notification message through SMS, but also monitors the MMS notification message on the UDP port 2948.
  • the analog short message service center is interconnected with the smart phone via a connected LAN.
  • the malformed MMS notification message is structured as follows: For domains other than the vulnerable test points listed in Figure 2, use normal and valid data for padding; for domains that are vulnerable test points, use the following for each test Fill in various ways or combinations of various ways:
  • a string of a general type is filled with a randomly generated long string; for a string representing a file name, a URL address, etc., which do not allow special characters, a special type is randomly mixed in the string. Character; For a formatted string, a similar substring such as "%n" is randomly added to the string; for a string representing the filename, "../” is randomly added to the string.
  • WAP gateway The actual use of the WAP gateway is very expensive.
  • the present invention utilizes the free and open source WAP gateway software Kannel, which is responsible for converting the WAP request of the smartphone into an HTTP request;
  • Analog multimedia information service center It is built using the Apache HTTP server and is used to emulate multimedia messaging server functionality.
  • the present invention extends the server by adding a new MIME type so that it can support the type file of the mms extension;
  • the module is based on MMSLib implementation, which is mainly used to generate MMS data packets for testing, and sends test data packets to a specified directory of the HTTP server, so that the smartphone client can be obtained for vulnerability mining;
  • the smart phone terminal and each analog PC terminal are interconnected through a local area network to realize transmission and reception of different MMS message types.
  • the Fuzzing test process for MMS content is as follows:
  • the smartphone terminal constructs the corresponding address according to the server address of the MMS content in the MMS notification
  • the analog WAP gateway converts the WSP/WTP GET request into an HTTP GET request and sends it to the analog multimedia information service center specified therein;
  • the analog multimedia information service center sends the constructed malformed MMS content back to the mobile terminal according to the GET request, so that the security researcher can analyze the response of the smart phone terminal and determine whether there is a security hole. Record information such as the type and location of the vulnerability and repeat the above steps for the next round of vulnerability mining until the Fuzzing tool no longer reports new vulnerabilities.

Abstract

A method and a system for excavating multimedia message protocol vulnerability are provided in the present invention, and they belong to software engineering technical field. The method according to the present invention includes that: constructing a malformed data packet based on a rothole to be detected of a multimedia message, then transmitting the constructed malformed data packet to a target device which uses a multimedia message protocol, judging whether the transmitted malformed data packet causes an abnormal response from the target device, determining the multimedia message protocol vulnerability of the target device based on the malformed data packet which causes an abnormal response from the target device; the system according to the present invention includes a WAP gateway, a simulation multimedia message service center, a MMS message generator, a target device using a multimedia message protocol, and a simulation short message service center. The present invention can excavate the multimedia message protocol vulnerability quickly and effectively, and is especially suitable for the intelligent handset platform.

Description

一种彩信协议漏洞挖掘方法及其系统 技术领域  Multimedia message protocol vulnerability mining method and system thereof
本发明涉及一种协议漏洞挖掘方法及其系统,尤其涉及一种彩信协议漏洞挖掘方法 及其系统, 属于软件工程技术领域。 背景技术  The invention relates to a protocol vulnerability mining method and a system thereof, in particular to a multimedia message protocol vulnerability mining method and system thereof, and belongs to the technical field of software engineering. Background technique
智能手机已成为现代社会普及的个人电子用品, 根据研究预测, 智能手机市场将在 今后的几年里继续保持增长势头, 全球出货量将从 2006年的 8050万部增长到 2009年 的 1.25亿部, 届时智能手机将增长至占全球手机市场份额的 16% ; 另一方面, 智能手 机功能逐步增强, 现在已能进行上网、 视频点播、 股票交易、 电子会议及文档处理等复 杂应用。 然而与之而来的是手机安全问题日趋严重。 目前手机恶意代码数量已经达到 1000多种, 特别是近两年来手机病毒的增长速度几乎是 PC病毒的 10倍。 尤为严重的 是, 越来越多的手机病毒开始利用手机平台漏洞进行攻击, 造成了更大的破坏和影响。 目前大部分用户对于手机安全问题并不敏感,许多厂商对于手机的安全防护问题也较为 忽视, 这些都为恶意攻击者提供了便利。 由于手机的特殊性, 安装漏洞补丁升级困难, 一旦某个安全漏洞被非法利用, 面对如此巨大的用户群, 造成的经济损失无法估计。  Smartphones have become popular personal electronics in modern society. According to research forecasts, the smartphone market will continue to grow in the next few years. Global shipments will grow from 80.5 million in 2006 to 125 million in 2009. At that time, smartphones will grow to 16% of the global mobile phone market. On the other hand, smartphones are gradually enhanced, and now they can be used in complex applications such as Internet access, video on demand, stock trading, electronic conferencing and document processing. However, what comes with it is that mobile phone security issues are getting worse. At present, the number of malicious code on mobile phones has reached more than 1,000. Especially in the past two years, the growth rate of mobile phone viruses is almost 10 times that of PC viruses. What is especially serious is that more and more mobile phone viruses are beginning to use mobile phone platform vulnerabilities to attack, causing greater damage and impact. At present, most users are not sensitive to mobile phone security issues, and many manufacturers have neglected the security protection of mobile phones, which have provided convenience for malicious attackers. Due to the particularity of the mobile phone, it is difficult to upgrade the installation vulnerability patch. Once a security vulnerability is illegally exploited, the economic loss caused by such a huge user base cannot be estimated.
鉴于手机安全漏洞威胁的严重性,越来越多的安全研究机构开始针对智能手机平台 进行漏洞挖掘。 然而智能手机平台与 PC平台有着很多不同, 这也给漏洞挖掘技术提出 了很多限制。 特别是在针对智能手机平台的彩信服务进行测试的过程中, 安全研究人员 会遇到许多问题, 这都给彩信漏洞挖掘技术的实现提出了更高要求。  In view of the serious threat of mobile security vulnerabilities, more and more security research institutions are beginning to exploit the vulnerability of the smartphone platform. However, there are many differences between the smartphone platform and the PC platform, which also imposes many restrictions on the vulnerability mining technology. Especially in the process of testing the MMS service for the smartphone platform, security researchers will encounter many problems, which puts higher requirements on the implementation of MMS vulnerability mining technology.
首先, 智能手机的硬件处理能力远远逊于 PC, 这对运行在手机平台上的软件提出 了更高的要求。 基于同样时间复杂度的算法, 在 PC上可能可以很快完成运算, 而在手 机平台上却需要很长时间才能得到执行结果。 因此许多 PC平台下的漏洞挖掘分析工具 很难移植到手机平台下, 例如 IDA Pro等, 这也对漏洞挖掘技术提出了很多限制。  First, the hardware processing power of smartphones is far less than that of PCs, which puts higher demands on software running on mobile platforms. Based on the same time complexity algorithm, the calculation may be completed quickly on the PC, but it takes a long time to get the execution result on the mobile platform. Therefore, the vulnerability mining analysis tools under many PC platforms are difficult to port to mobile platforms, such as IDA Pro, which also imposes many restrictions on vulnerability mining technology.
其次, 虽然智能手机操作系统的开放性不断得到增强, 然而还是与计算机平台有很 大差距。 受到传统手机平台封闭性的影响, 目前多种智能手机操作系统平台下的相关开 发工具以及技术支持文档都还处于授权保护状态, 只有通过安全授权的手机软件开发厂 商或研究机构才能得到完整的技术资料和更全功能的开发平台。 因此, 安全测试人员无 法了解彩信服务的具体实现细节, 这也增大了智能手机彩信安全研究的难度。 Second, although the openness of the smartphone operating system has been continuously enhanced, it still has a big gap with the computer platform. Affected by the closedness of the traditional mobile phone platform, the relevant development tools and technical support documents under various smart phone operating system platforms are still in the state of authorized protection. Only through the secure authorized mobile phone software developers or research institutions can the complete technology be obtained. Information and a more full-featured development platform. Therefore, the safety tester has no The law understands the specific implementation details of MMS services, which also increases the difficulty of smart phone MMS security research.
另外, PC平台一般运行在开放的 TCP/IP网络上, 十分便于进行安全漏洞测试, 而 智能手机的彩信服务网络主要是基于移动的通信系统, 这是一个封闭的网络系统, 彩信 服务网关、 彩信服务器均位于运营商的内部网络中, 无法用来进行测试, 无法通过该网 络搭建手机平台下的测试环境。 最后, 实际发送彩信的价格较为高昂, 在进行彩信漏洞 挖掘的过程中往往难以承担彩信发送的费用, 在经济上不划算。 发明内容  In addition, the PC platform generally runs on an open TCP/IP network, which is very convenient for security vulnerability testing. The MMS service network of the smartphone is mainly based on the mobile communication system, which is a closed network system, MMS service gateway, MMS. The servers are all located on the carrier's internal network and cannot be used for testing. It is impossible to build a test environment under the mobile platform through the network. Finally, the actual price of sending MMS messages is relatively high. In the process of excavating MMS vulnerabilities, it is often difficult to bear the cost of MMS sending, which is not cost-effective. Summary of the invention
本发明的目的是设计一种实际有效的彩信协议漏洞挖掘技术,搭建一套模拟的彩信 收发环境, 解决目前在采用彩信协议的目标设备上进行安全脆弱性分析的难点和问题, 从而对采用彩信协议的目标设备下的彩信服务进行漏洞挖掘, 尤其是智能手机平台的彩 信协议的漏洞测试和挖掘。  The object of the present invention is to design a practical and effective MMS protocol vulnerability mining technology, construct a set of simulated MMS sending and receiving environment, and solve the difficulties and problems in the current security vulnerability analysis on the target device adopting the MMS protocol, thereby adopting MMS. The MMS service under the target device of the protocol performs vulnerability mining, especially the vulnerability testing and mining of the MMS protocol of the smartphone platform.
本发明的技术方案为- 一种彩信协议漏洞挖掘方法, 其步骤为:  The technical solution of the present invention is a method for mining a multimedia message protocol vulnerability, and the steps are as follows:
1 ) 根据彩信消息的待测脆弱点构造畸形数据包;  1) constructing a malformed data packet according to the vulnerable point of the MMS message;
2) 将所构造的畸形数据包发送到采用彩信协议的目标设备;  2) sending the constructed malformed data packet to the target device using the MMS protocol;
3 ) 判断所发送的畸形数据包是否引起该目标设备出现异常响应;  3) determining whether the sent malformed data packet causes an abnormal response of the target device;
4) 根据引发该目标设备出现异常响应的畸形数据包确定该目标设备的彩信协议漏 洞。  4) Determine the MMS protocol hole of the target device according to the malformed data packet that causes the target device to respond abnormally.
所述彩信消息包括彩信通知消息和彩信内容消息;所述彩信通知消息的待测脆弱点 包括: X-Mms-Transaction-ID、 X-Mms-Content-Location > From、 Subject; 所述彩信内容 消息的待测脆弱点包括: X-Mms-Transaction-ID、 X-Mms-Content-Location、 From、 Subject、 Content-Type、 To、 Cc、 Bcc、 Message-ID、 Content-ID、 ContentLocation。  The MMS message includes a MMS notification message and a MMS content message; the vulnerability of the MMS notification message to be tested includes: X-Mms-Transaction-ID, X-Mms-Content-Location > From, Subject; The vulnerability to be tested includes: X-Mms-Transaction-ID, X-Mms-Content-Location, From, Subject, Content-Type, To, Cc, Bcc, Message-ID, Content-ID, ContentLocation.
所述彩信消息中字段的数据类型包括: 整数类型和字符串类型。  The data types of the fields in the MMS message include: an integer type and a string type.
所述畸形数据包包括但不限于下列数据包的一种或几种类型: 整数溢出类型畸形数 据包、 超长字符串溢出类型畸形数据包、 特殊字符异常类型畸形数据包、 格式化字符串 类型畸形数据包。  The malformed data packet includes but is not limited to one or several types of the following data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet, special character exception type malformed data packet, formatted string type Malformed data packet.
所述方法中, 对于所述彩信通知消息, 将所构造的畸形数据包发送到所述目标设备 的方法为: 模拟短消息服务中心利用彩信通知消息 Fuzzing测试工具向该目标设备发送 彩信通知, 该目标设备的 tmail.exe通过 SMS监听彩信通知消息, 同时在 UDP的 2948 端口监听彩信通知消息。 In the method, for the MMS notification message, the configured malformed data packet is sent to the target device. The method is as follows: The short message service center uses the MMS notification message Fuzzing test tool to send a multimedia message notification to the target device, and the target device's tmail.exe monitors the MMS notification message through the SMS, and simultaneously monitors the MMS notification message on the UDP port 2948.
所述方法中, 对于所述彩信内容消息, 将所构造的畸形数据包发送到所述目标设备 的方法为:  In the method, for the MMS content message, the method for sending the constructed malformed data packet to the target device is:
1 ) 将所述畸形数据包保存到模拟多媒体信息中心的指定目录中;  1) saving the malformed data packet to a specified directory of the analog multimedia information center;
2 ) 模拟短消息中心构造相应的彩信通知消息, 通过 UDP/ WAP PUSH将彩信通知 发送给所述目标设备;  2) simulating the short message center to construct a corresponding MMS notification message, and transmitting the MMS notification to the target device by using UDP/ WAP PUSH;
3 ) 该目标设备根据彩信通知中的彩信内容所在服务器地址构造相应的 WSP/WTP GET请求, 并发送到所设定模拟 WAP网关中;  3) the target device constructs a corresponding WSP/WTP GET request according to the server address of the MMS content in the MMS notification, and sends the corresponding WSP/WTP GET request to the set analog WAP gateway;
4 ) 模拟 WAP网关将 WSP/WTP GET请求转换成 HTTP GET请求, 并发送到其中 所指定的模拟多媒体信息服务中心;  4) The analog WAP gateway converts the WSP/WTP GET request into an HTTP GET request and sends it to the analog multimedia information service center specified therein;
5 ) 模拟多媒体信息服务中心根据该 GET请求,将所述畸形彩信内容发送回该目标 设备。  5) The analog multimedia information service center sends the malformed multimedia message content back to the target device according to the GET request.
所述异常响应包括发送新的彩信通知消息时因得不到目标设备的应答而超时、 目标 设备屏幕上显示出错信息或目标设备无法响应用户的操作; 所述确定该目标设备的彩信 协议漏洞包括确定该目标设备的彩信协议漏洞类型、 位置、 成因和严重程度。  The abnormal response includes a timeout when a new MMS notification message is sent, a timeout is not received by the target device, an error message is displayed on the target device screen, or the target device cannot respond to the user's operation; the MMS protocol vulnerability of the target device is determined to include Determine the type, location, cause, and severity of the MMS protocol vulnerability for the target device.
一种彩信协议漏洞挖掘系统, 包括 WAP网关、模拟多媒体信息服务中心、 MMS消 息产生器、 釆用彩信协议的目标设备、 模拟短消息服务中心; 其连接关系为: 所述模拟 多媒体信息中心通过局域网与所述 WAP网关连接; 所述采用彩信协议的目标设备通过 局域网与所述模拟多媒体信息中心、 WAP网关以及模拟短信息服务中心连接; A multimedia message protocol vulnerability mining system, comprising a WAP gateway, an analog multimedia information service center, an MMS message generator, a target device for using a multimedia message protocol, and an analog short message service center; the connection relationship is: the analog multimedia information center passes through a local area network Connecting to the WAP gateway; the target device adopting the MMS protocol is connected to the analog multimedia information center, the WAP gateway, and the analog short information service center through a local area network;
所述 WAP网关负责将采用彩信协议的目标设备的 WAP请求转换成 HTTP请求, 并 将该请求发送到其中指定的模拟多媒体信息服务中心;  The WAP gateway is responsible for converting a WAP request of a target device using the MMS protocol into an HTTP request, and transmitting the request to the designated analog multimedia information service center therein;
所述模拟多媒体信息服务中心用于模拟真实的彩信服务网络中多媒体消息服务器功 能;  The analog multimedia information service center is used to simulate a multimedia message server function in a real MMS service network;
所述 MMS 消息产生器用来产生用于彩信内容消息测试的畸形数据包, 并将测试数 据包发送到所述模拟多媒体信息中心上运行的 HTTP服务器的指定目录; 所述采用彩信协议的目标设备配置彩信收发设置,将 WAP网关设置为测试环境中的 模拟 WAP网关地址, 同时将服务器地址也设置为测试环境中的模拟多媒体信息服务中 心的地址; The MMS message generator is configured to generate a malformed data packet for testing a multimedia message content message, and send the test data packet to a specified directory of an HTTP server running on the analog multimedia information center; The target device adopting the MMS protocol configures the MMS sending and receiving settings, sets the WAP gateway as the simulated WAP gateway address in the test environment, and sets the server address as the address of the analog multimedia information service center in the test environment;
所述模拟短消息服务中心用于产生彩信通知消息测试中使用的畸形数据包或彩信通 知消息。  The analog short message service center is configured to generate a malformed data packet or a multimedia message notification message used in the MMS notification message test.
所述模拟多媒体信息服务中心所在的服务器为 Apache HTTP 服务器, 其中所述 Apache HTTP服务器添加有 MIME类型,用于支持 mms扩展名的类型文件;所述 MMS 消息产生器为基于 MMSLib实现的 MMS消息产生器。  The server where the analog multimedia information service center is located is an Apache HTTP server, wherein the Apache HTTP server is added with a MIME type for supporting a type file of the mms extension; the MMS message generator is for MMS message generation based on MMSLib. Device.
所述畸形数据包包括但不限于下列数据包的一种或几种类型: 整数溢出类型畸形数 据包、 超长字符串溢出类型畸形数据包、 特殊字符异常类型畸形数据包、 格式化字符串 类型畸形数据包。  The malformed data packet includes but is not limited to one or several types of the following data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet, special character exception type malformed data packet, formatted string type Malformed data packet.
针对智能手机平台下的彩信服务的源代码的不透明性, 本发明主要采取基于 Fuzzing测试的漏洞挖掘技术手段来予以解决。 Fuzzing技术是一种自动化的安全漏洞挖 掘技术, 它不需要了解被测试对象的具体实现细节, 只需构造大量半有效的数据或者文 件作为输入, 便能够根据相应的响应, 发现测试对象所存在的安全漏洞。  In view of the opacity of the source code of the MMS service under the smartphone platform, the present invention mainly adopts a vulnerability mining technology based on the Fuzzing test to solve the problem. Fuzzing technology is an automated security vulnerability mining technology. It does not need to know the specific implementation details of the tested object. It only needs to construct a large amount of semi-effective data or files as input, and then it can find out the existence of the test object according to the corresponding response. Security breach.
针对实际彩信服务所处的运行环境为封闭的移动运营网络的限制,本发明搭建了一 套模拟的彩信收发平台, 对彩信服务实际运行环境中的 WAP网关、多媒体消息服务器、 短消息服务器均进行了模拟, 并采用开放的 TCP/IP局域网络代替无线 GPRS网络传输 彩信消息。 整套系统经济实用, 可行性高, 和 Fuzzing测试技术相结合, 为智能手机平 台下的彩信服务漏洞挖掘提供了一种切实有效的解决方案。  In view of the limitation of the operating environment in which the actual MMS service is closed to the closed mobile operation network, the present invention constructs a set of analog MMS transceiver platform, which performs the WAP gateway, the multimedia message server and the short message server in the actual operation environment of the MMS service. The simulation, and the use of an open TCP / IP local area network instead of the wireless GPRS network to transmit MMS messages. The whole system is economical and practical, and has high feasibility. Combined with Fuzzing test technology, it provides an effective and effective solution for MMS service vulnerability exploitation under the smartphone platform.
本发明的积极效果为:  The positive effects of the present invention are:
本发明首次提出了在智能手机平台下使用 Fuzzing技术对彩信协议进行漏洞挖掘的 技术方案, 并在工程上完整地实现了一套彩信协议漏洞挖掘系统, 该系统通过运行 TCP/IP协议的局域网对电信运营商的专有彩信服务网络进行了全面的模拟,在此基础上 利用前述技术方案对彩信协议实施漏洞挖掘。在使用该系统对当前彩信协议进行漏洞挖 掘之后, 共发现 2个整数溢出漏洞和 8个超长字符串漏洞, 其中包括 5个未公布漏洞, 为首次发现。 这充分说明了该漏洞挖掘方法及其系统的有效性, 同时本发明的技术方案 可以应用于其它采用彩信协议的目标设备进行漏洞测试和挖掘。 附图说明 The invention firstly proposes a technical scheme for exploiting the vulnerability of the MMS protocol using the Fuzzing technology under the smart phone platform, and completely implements a set of MMS protocol vulnerability mining system in the engineering, the system runs through the LAN pair of the TCP/IP protocol. The telecom operator's proprietary MMS service network was fully simulated. Based on this, the above technical solutions were used to exploit the MMS protocol. After using the system to exploit the current MMS protocol, two integer overflow vulnerabilities and eight ultra-long string vulnerabilities were discovered, including five unpublished vulnerabilities, which were discovered for the first time. This fully demonstrates the effectiveness of the vulnerability mining method and its system. At the same time, the technical solution of the present invention can be applied to other target devices using the MMS protocol for vulnerability testing and mining. DRAWINGS
图 1是 Fuzzing测试的具体实施流程图;  Figure 1 is a specific implementation flow chart of the Fuzzing test;
图 2是彩信通知消息的脆弱测试点;  Figure 2 is a vulnerable test point of the MMS notification message;
图 3是彩信内容消息的脆弱测试点;  Figure 3 is a vulnerable test point of the MMS content message;
图 4是彩信通知消息的模拟运行环境图;  4 is a simulation running environment diagram of a multimedia message notification message;
图 5是针对彩信通知消息的 Fuzzing测试工具运行界面;  Figure 5 is a Fuzzing test tool running interface for a MMS notification message;
图 6是针对彩信内容消息测试的模拟运行环境图;  Figure 6 is a simulation running environment diagram for MMS content message testing;
图 7是本发明的系统连接图, 其中实线箭头为使用运行 TCP/IP协议的有线局域网 互连, 虚线箭头为使用无线局域网互连。 具体实施方式  Figure 7 is a system connection diagram of the present invention in which the solid arrow is interconnected using a wired LAN operating TCP/IP protocol and the dashed arrows are interconnected using a wireless local area network. detailed description
下面结合附图详细描述本发明的具体实施方式。  Specific embodiments of the present invention are described in detail below with reference to the accompanying drawings.
1. Fuzzing测试的具体实施流程  1. The implementation process of the Fuzzing test
图 1给出了针对彩信服务进行漏洞挖掘时所采用的 Fuzzing测试实施流程。首先必须 详细分析彩信协议, 了解彩信消息的种类, 各消息中字段的组成及含义。 有关彩信协议 格式的详细说明请参见 Open Mobile Alliance (OMA)提供的技术文档 Multimedia Messaging Service Encapsulation Specification, 此处不再赘述。 其次便是确定测试所要针 对的脆弱点, 并根据脆弱点进行畸形数据构造, 畸形数据被设计成为合法的彩信协议数 据包, 与正常的数据包区别在于, 畸形数据中的一个或者多个指定字段被特别构造, 这 些被特别构造了的字段被认为是可能激发安全漏洞的脆弱点。得到所构造的畸形的彩信 消息后, 便可以发送构造的彩信数据包, 针对彩信服务进行漏洞挖掘。  Figure 1 shows the implementation of the Fuzzing test used to exploit the vulnerability of the MMS service. First, you must analyze the MMS protocol in detail, understand the types of MMS messages, and the composition and meaning of the fields in each message. For a detailed description of the format of the MMS protocol, please refer to the Multimedia Messaging Service Encapsulation Specification provided by the Open Mobile Alliance (OMA), which will not be described here. The second is to determine the vulnerability points to be tested, and to construct the malformed data according to the vulnerability. The malformed data is designed to be a legal MMS protocol packet. The difference from the normal packet is that one or more specified fields in the malformed data. Specially constructed, these specially constructed fields are considered to be vulnerable points that could trigger security holes. After obtaining the malformed MMS message, the constructed MMS data packet can be sent to exploit the vulnerability of the MMS service.
在智能手机平台下进行彩信服务测试, 主要是针对本地的智能手机终端进行测试。 因此,所测试的彩信消息主要为发送给终端手机的彩信通知消息 (M-Notification.ind)和彩 信内容消息 (M-Retrieve.COnf)。 根据彩信通知消息和彩信内容消息的字段定义, 可以确 定它们存在如图 2和图 3所示的脆弱测试点。 The MMS service test under the smartphone platform is mainly for testing the local smart phone terminal. Therefore, the MMS message tested is mainly a MMS notification message (M-Notification.ind) and a MMS content message (MR e tri eve . COn f) sent to the terminal handset. Based on the field definitions of the MMS notification message and the MMS content message, it can be determined that they have vulnerable test points as shown in FIGS. 2 and 3.
根据不同的数据类型的脆弱测试点字段, 可以按照以下的规则构造测试数据: (1) 字段类型为整数:可以通过设置不同的特殊数值构造整数溢出类型畸形数据包, 即: 非常小的数字,例如 -1, 0, 1, 2, 10, 20, 30等; 非常大的数字,例如 Oxffff, 0x7fff, Ox匿 fff等; 该字段取值范围附近的数值, 例如 28, 28-1 , 28+1 , 216, 224或者 231等。 (2) 字段类型为字符串: 构造超长字符串溢出类型畸形数据包, 即构造超长字符串 检验是否存在缓冲区溢出漏洞; 构造特殊字符异常类型畸形数据包, 即混入特殊字符检 验是否存在异常处理失败漏洞; 构造格式化字符串类型畸形数据包, 即添加 "%n"等 类似子串以测试是否存在格式化字符串漏洞; 如果该字段表示文件名, 还可以添加" ../" 以判断是否存在目录跨越漏洞。 According to the vulnerable test point fields of different data types, the test data can be constructed according to the following rules: (1) The field type is an integer: the integer overflow type malformed data packet can be constructed by setting different special values, namely: very small numbers, For example, -1, 0, 1, 2, 10, 20, 30, etc.; very large numbers, such as Oxffff, 0x7fff, Ox, fff, etc.; values near the range of values, such as 2 8 , 2 8 -1 , 2 8 +1 , 2 16 , 2 24 or 2 31 etc. (2) The field type is a string: Constructs a super-long string overflow type malformed packet, that is, constructs a long-length string to check whether there is a buffer overflow vulnerability; constructs a special character exception type malformed packet, that is, whether the special character check is mixed Exception handling failure vulnerability; construct a formatted string type malformed packet, that is, add a similar substring such as "%n" to test for the existence of a format string vulnerability; if the field represents a file name, you can also add "../" To determine if there is a directory spanning vulnerability.
(3) 还需考虑结合多个字段进行测试。 例如有两个字段分别表示文件名和目录名, 那么可以考虑构造数据使得 "文件名"和 "目录名"的长度之和非常之大, 以测试是否 存在异常处理失败漏洞等。  (3) Also consider combining multiple fields for testing. For example, if there are two fields representing the file name and the directory name, then you can consider constructing the data so that the sum of the lengths of the "file name" and the "directory name" is very large to test for the existence of an exception handling failure vulnerability.
2. 彩信通知消息的测试环境搭建 2. The test environment of the MMS notification message is set up.
实际运行中的彩信服务体系中, 彩信通知消息是由短消息服务中心通过 SMS发送 WAP PUSH消息予以实现。图 4是本发明所搭建的本地彩信通知消息发送模拟运行环境。  In the actual running MMS service system, the MMS notification message is implemented by the short message service center sending a WAP PUSH message through SMS. FIG. 4 is a simulation running environment for sending a local MMS notification message built by the present invention.
该模拟运行环境中, 以无线局域网代替移动运营商的 GSM网络, 利用 PC模拟短 消息服务中心向智能手机终端发送所构造的畸形彩信通知消息, 其运行流程如下所示: In the simulated operating environment, the GSM network of the mobile operator is replaced by a wireless local area network, and the constructed malformed MMS notification message is sent to the smart phone terminal by using the PC analog short message service center. The running process is as follows:
(1) 智能手机终端支持无线局域网功能, 图 4中所搭建的模拟环境中使用的是多普 达 818 pro。 智能手机终端通过无线路由器连接无线局域网, 并实现与 PC端模拟短消息 服务中心的 UDP协议通信。智能手机终端的 tmail.exe不仅通过 SMS监听彩信通知消息, 也在 UDP的 2948端口监听彩信通知消息。 (1) The smartphone terminal supports the wireless LAN function. The Dopod 818 pro is used in the simulation environment built in Figure 4. The smart phone terminal connects to the wireless local area network through the wireless router, and realizes UDP protocol communication with the PC-side analog short message service center. The tmail.exe of the smartphone terminal not only monitors the MMS notification message through SMS, but also monitors the MMS notification message on the UDP port 2948.
(2) 利用普通 PC模拟短消息服务中心。 模拟短消息服务中心通过连接局域网与智 能手机互连。 利用彩信通知消息 Fuzzing测试工具, 通过 UDP/ WAP PUSH向智能手机 发送构造的畸形彩信通知。 畸形彩信通知消息的具体构造方式如下: 对于图 2中列出的 脆弱测试点之外的其它域, 使用正常有效的数据进行填充; 对于属于脆弱测试点的域, 在每一次测试中分别使用以下各种方式或各种方式的组合进行填充:  (2) Using a normal PC to simulate a short message service center. The analog short message service center is interconnected with the smart phone via a connected LAN. Use the MMS notification message Fuzzing test tool to send a structured malformed MMS notification to the smartphone via UDP/ WAP PUSH. The malformed MMS notification message is structured as follows: For domains other than the vulnerable test points listed in Figure 2, use normal and valid data for padding; for domains that are vulnerable test points, use the following for each test Fill in various ways or combinations of various ways:
• 将表示字符串长度的字节设置为特殊整数值, 包括 0x0、 0x7f、 Oxff等。  • Set the byte representing the length of the string to a special integer value, including 0x0, 0x7f, Oxff, and so on.
• 若域中含有字符串,对于一般类型的字符串,则填充以随机生成的超长字符串; 对于表示文件名、 URL地址等不允许出现特殊字符的字符串, 则在串中随机混 入特殊字符; 对于格式化字符串, 则在串中随机添加 "%n"等类似子串; 对于 表示文件名的字符串, 则在串中随机添加 " ../"。  • If a string is contained in a field, a string of a general type is filled with a randomly generated long string; for a string representing a file name, a URL address, etc., which do not allow special characters, a special type is randomly mixed in the string. Character; For a formatted string, a similar substring such as "%n" is randomly added to the string; for a string representing the filename, "../" is randomly added to the string.
在每次测试中,可以选择测试单个脆弱测试点,也可以测试某些脆弱测试点的组合。 (3) 如果智能手机在接收该通知消息之后失去响应 (发送新的彩信通知消息时因得 不到应答而超时, 手机屏幕上显示出错信息或根本无法响应用户的操作), 则可以判断 出刚刚发送的通知消息触发了智能手机彩信协议栈的某个漏洞, 从而完成彩信通知消息 测试, 如图 5所示。 漏洞研究者可以根据触发漏洞的彩信通知消息内容来重现该漏洞, 并据此进一步探察漏洞的成因、 严重程度和利用方式等。 In each test, you can choose to test a single vulnerable test point or test a combination of some vulnerable test points. (3) If the smartphone loses the response after receiving the notification message (the new MMS notification message is timed out due to no response, the error message is displayed on the phone screen or the user's operation cannot be responded at all), then it can be judged that The sent notification message triggers a vulnerability in the smartphone MMS protocol stack to complete the MMS notification message test, as shown in Figure 5. The vulnerability researcher can reproduce the vulnerability based on the content of the MMS notification message that triggered the vulnerability, and further explore the cause, severity, and utilization of the vulnerability.
3. 彩信内容消息的测试环境搭建 3. The test environment for MMS content messages is set up.
彩信内容消息的测试环境搭建如图 6所示。 其中各关键参与角色的职能描述如下: The test environment for MMS content messages is shown in Figure 6. The functions of each key participating role are described as follows:
(1) WAP网关。 实际使用的 WAP网关价格都十分高昂, 为了便于测试, 本发明利 用了免费开源的 WAP网关软件 Kannel, 它负责将智能手机的 WAP请求转换成 HTTP 请求; (1) WAP gateway. The actual use of the WAP gateway is very expensive. For the convenience of testing, the present invention utilizes the free and open source WAP gateway software Kannel, which is responsible for converting the WAP request of the smartphone into an HTTP request;
(2) 模拟多媒体信息服务中心。 它采用 Apache HTTP服务器搭建, 用于模拟多媒体 消息服务器功能。 在这里, 本发明对该服务器进行了扩展, 添加了新的 MIME类型, 使 得它能够支持 mms扩展名的类型文件;  (2) Analog multimedia information service center. It is built using the Apache HTTP server and is used to emulate multimedia messaging server functionality. Here, the present invention extends the server by adding a new MIME type so that it can support the type file of the mms extension;
(3) MMS消息产生器。该模块基于 MMSLib实现, 主要用来产生用于测试的彩信数 据包, 并将测试数据包发送到 HTTP服务器的指定目录, 从而使得智能手机客户端能够 获取得到以便于进行漏洞挖掘;  (3) MMS message generator. The module is based on MMSLib implementation, which is mainly used to generate MMS data packets for testing, and sends test data packets to a specified directory of the HTTP server, so that the smartphone client can be obtained for vulnerability mining;
(4) 智能手机终端。配置智能手机终端的彩信收发设置,将 WAP网关设置为测试环 境中的 WAP网关地址, 同时将服务器地址也设置为测试环境中的模拟多媒体信息服务 中心的地址。 这样, 接收彩信的测试环境就搭建完毕了。  (4) Smartphone terminal. Configure the MMS send and receive settings of the smartphone terminal, set the WAP gateway to the WAP gateway address in the test environment, and set the server address to the address of the analog multimedia information service center in the test environment. In this way, the test environment for receiving MMS is set up.
智能手机终端和各模拟 PC终端通过局域网络进行互连, 从而实现不同彩信消息类 型的发送与接收。 进行彩信内容的 Fuzzing测试过程如下所示:  The smart phone terminal and each analog PC terminal are interconnected through a local area network to realize transmission and reception of different MMS message types. The Fuzzing test process for MMS content is as follows:
(1) 利用 MMS消息产生器根据 Fuzzing测试数据构造规则, 生成畸形的测试彩信, 并将彩信保存在模拟多媒体信息中心的指定目录中。 畸形测试彩信的具体构造方式如 下: 对于图 3中列出的脆弱测试点之外的其它域, 使用正常有效的数据进行填充; 对于 属于脆弱测试点的域, 在每一次测试中分别使用以下各种方式或各种方式的组合进行填 充:  (1) Using the MMS message generator to generate a malformed test multimedia message according to the Fuzzing test data construction rule, and save the MMS message in a specified directory of the analog multimedia information center. The specific configuration of the malformed test MMS is as follows: For the domains other than the vulnerable test points listed in Figure 3, use normal and valid data for filling; for the domains belonging to the vulnerable test points, use the following in each test Fill in a way or a combination of ways:
• 将域中表示字符串长度的字节设置为特殊整数值, 包括 0x0、 0x7f、 Oxff等。 • 若域中含有字符串,对于一般类型的字符串,则填充以随机生成的超长字符串; 对于表示文件名、 URL地址等不允许出现特殊字符的字符串, 则在串中随机混 入特殊字符; 对于格式化字符串, 则在串中随机添加 "%n"等类似子串; 对于 表示文件名的字符串, 则在串中随机添加 " ../"。 在每次测试中,可以选择测试单个脆弱测试点,也可以测试某些脆弱测试点的组合。• Set the bytes in the field that represent the length of the string to special integer values, including 0x0, 0x7f, Oxff, and so on. • If a string is contained in a field, a string of a general type is filled with a randomly generated long string; for a string representing a file name, a URL address, etc., which do not allow special characters, it is randomly mixed in the string. Special characters are added; for formatted strings, similar substrings such as "%n" are randomly added to the string; for strings representing file names, "../" is randomly added to the string. In each test, you can choose to test a single vulnerable test point or test a combination of some vulnerable test points.
(2) 模拟短消息中心构造相应的彩信通知消息, 通过 UDP/ WAP PUSH将彩信通知 发送给智能手机终端; (2) simulating the short message center to construct a corresponding MMS notification message, and transmitting the MMS notification to the smart phone terminal through UDP/ WAP PUSH;
(3) 智能手机终端根据彩信通知中的彩信内容所在服务器地址构造相应的  (3) The smartphone terminal constructs the corresponding address according to the server address of the MMS content in the MMS notification
WSP/WTP GET请求, 并发送到所设定模拟 WAP网关中; WSP/WTP GET request, and sent to the set analog WAP gateway;
(4)模拟 WAP网关将 WSP/WTP GET请求转换成 HTTP GET请求, 并发送到其中 所指定的模拟多媒体信息服务中心;  (4) The analog WAP gateway converts the WSP/WTP GET request into an HTTP GET request and sends it to the analog multimedia information service center specified therein;
(5) 模拟多媒体信息服务中心根据该 GET请求, 将所构造的畸形彩信内容发送回手 机终端, 从而可以使得安全研究人员对智能手机终端的响应进行分析, 并判断是否存在 安全漏洞。 记录出现漏洞的类型和位置等信息并重复上述步骤进行下一轮的漏洞挖掘, 直到 Fuzzing工具不再报告新的漏洞为止。  (5) The analog multimedia information service center sends the constructed malformed MMS content back to the mobile terminal according to the GET request, so that the security researcher can analyze the response of the smart phone terminal and determine whether there is a security hole. Record information such as the type and location of the vulnerability and repeat the above steps for the next round of vulnerability mining until the Fuzzing tool no longer reports new vulnerabilities.

Claims

权利要求书 Claim
1. 一种彩信协议漏洞挖掘方法, 其步骤为: A method for mining a multimedia message protocol vulnerability, the steps of which are:
1 ) 根据彩信消息的待测脆弱点构造畸形数据包;  1) constructing a malformed data packet according to the vulnerable point of the MMS message;
2) 将所构造的畸形数据包发送到采用彩信协议的目标设备;  2) sending the constructed malformed data packet to the target device using the MMS protocol;
3 ) 判断所发送的畸形数据包是否引起该目标设备出现异常响应;  3) determining whether the sent malformed data packet causes an abnormal response of the target device;
4) 根据引发该目标设备出现异常响应的畸形数据包确定该目标设备的彩信协议漏 洞。  4) Determine the MMS protocol hole of the target device according to the malformed data packet that causes the target device to respond abnormally.
2. 如权利要求 1 所述的方法, 其特征在于所述彩信消息包括彩信通知消息和彩信内容 消息; 所述彩信通知消息的待测脆弱点包括: X-Mms-Tmnsaction-ID、 X-Mms-Content-Location From、 Subject; 所述彩信内容消息的待测脆弱点包括: X-Mms-Transaction-ID、 X-Mms-Content-Location > From、 Subject、 Content-Type、 To、 Cc、 Bcc、 Message-ID、 Content-ID、 ContentLocation。  2. The method according to claim 1, wherein the MMS message comprises a MMS notification message and a MMS content message; and the vulnerability of the MMS notification message to be tested comprises: X-Mms-Tmnsaction-ID, X-Mms -Content-Location From, Subject; The vulnerability of the MMS content message to be tested includes: X-Mms-Transaction-ID, X-Mms-Content-Location > From, Subject, Content-Type, To, Cc, Bcc, Message-ID, Content-ID, ContentLocation.
3. 如权利要求 2所述的方法, 其特征在于所述彩信消息中字段的数据类型包括: 整数 类型和字符串类型。  3. The method of claim 2, wherein the data type of the field in the MMS message comprises: an integer type and a string type.
4. 如权利要求 3所述的方法, 其特征在于所述畸形数据包包括但不限于下列数据包的 一种或几种类型: 整数溢出类型畸形数据包、 超长字符串溢出类型畸形数据包、 特 殊字符异常类型畸形数据包、 格式化字符串类型畸形数据包。  4. The method of claim 3, wherein the malformed data packet includes but is not limited to one or more of the following types of data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet , special character exception type malformed data packet, formatted string type malformed data packet.
5. 如权利要求 2所述的方法, 其特征在于对于所述彩信通知消息, 将所构造的畸形数 据包发送到所述目标设备的方法为: 模拟短消息服务中心利用彩信通知消息 Fuzzing 测试工具向该目标设备发送彩信通知,该目标设备的 tmail.exe通过 SMS监听彩信通 知消息, 同时在 UDP的 2948端口监听彩信通知消息。  5. The method according to claim 2, wherein for the MMS notification message, the method for transmitting the constructed malformed data packet to the target device is: simulating a short message service center using a multimedia message notification message Fuzzing test tool Sending a MMS notification to the target device, the tmail.exe of the target device monitors the MMS notification message through the SMS, and simultaneously monitors the MMS notification message on the UDP port 2948.
6. 如权利要求 2所述的方法, 其特征在于对于所述彩信内容消息, 将所构造的畸形数 据包发送到所述目标设备的方法为:  6. The method of claim 2, wherein the method of transmitting the constructed malformed data packet to the target device for the MMS content message is:
1 ) 将所述畸形数据包保存到模拟多媒体信息中心的指定目录中;  1) saving the malformed data packet to a specified directory of the analog multimedia information center;
2 )模拟短消息中心构造相应的彩信通知消息,通过 UDP/ WAP PUSH将彩信通知发 送给所述目标设备;  2) simulating the short message center to construct a corresponding MMS notification message, and sending the MMS notification to the target device through UDP/ WAP PUSH;
3 ) 该目标设备根据彩信通知中的彩信内容所在服务器地址构造相应的 WSP/WTP GET请求, 并发送到所设定模拟 WAP网关中; 3) The target device constructs a corresponding WSP/WTP according to the server address of the MMS content in the MMS notification GET request, and sent to the set analog WAP gateway;
4)模拟 WAP网关将 WSP/WTP GET请求转换成 HTTP GET请求,并发送到其中所 指定的模拟多媒体信息服务中心;  4) The analog WAP gateway converts the WSP/WTP GET request into an HTTP GET request and sends it to the analog multimedia information service center specified therein;
5 ) 模拟多媒体信息服务中心根据该 GET请求, 将所述畸形彩信内容发送回该目标 设备。  5) The simulated multimedia information service center sends the malformed multimedia message content back to the target device according to the GET request.
7. 如权利要求 2所述的方法, 其特征在于所述异常响应包括发送新的彩信通知消息时 因得不到目标设备的应答而超时、 目标设备屏幕上显示出错信息或目标设备无法响 应用户的操作; 所述确定该目标设备的彩信协议漏洞包括确定该目标设备的彩信协 议漏洞类型、 位置、 成因和严重程度。  7. The method according to claim 2, wherein the abnormal response comprises timeout when a new MMS notification message is sent, failure to obtain a response from the target device, error message displayed on the target device screen, or the target device is unable to respond to the user. The determining the MMS protocol vulnerability of the target device includes determining a MMS protocol vulnerability type, location, cause, and severity of the target device.
8. 一种彩信协议漏洞挖掘系统, 包括 WAP网关、 模拟多媒体信息服务中心、 MMS消 息产生器、 采用彩信协议的目标设备、 模拟短消息服务中心; 其连接关系为: 所述 模拟多媒体信息中心通过局域网与所述 WAP网关连接;所述采用彩信协议的目标设 备通过局域网与所述模拟多媒体信息中心、 WAP网关以及模拟短信息服务中心连接; 所述養网关负责将采用彩信协议的目标设备的 WAP请求转换成 HTTP请求, 并 将该请求发送到其中指定的模拟多媒体信息服务中心;  A multimedia message protocol vulnerability mining system, comprising a WAP gateway, an analog multimedia information service center, an MMS message generator, a target device using a multimedia message protocol, and an analog short message service center; the connection relationship is: the analog multimedia information center passes The local area network is connected to the WAP gateway; the target device adopting the MMS protocol is connected to the analog multimedia information center, the WAP gateway, and the analog short message service center through a local area network; the maintenance gateway is responsible for the WAP of the target device that adopts the MMS protocol. Request to convert to an HTTP request and send the request to the analog multimedia information service center specified therein;
所述模拟多媒体信息服务中心用于模拟真实的彩信服务网络中多媒体消息服务器功 能;  The analog multimedia information service center is used to simulate a multimedia message server function in a real MMS service network;
所述 MMS 消息产生器用来产生用于彩信内容消息测试的畸形数据包, 并将测试数 据包发送到所述模拟多媒体信息中心上运行的 HTTP服务器的指定目录; 所述采用彩信协议的目标设备配置彩信收发设置,将 WAP网关设置为测试环境中的 模拟 WAP网关地址,同时将服务器地址也设置为测试环境中的模拟多媒体信息服务 中心的地址;  The MMS message generator is configured to generate a malformed data packet for testing a multimedia message content message, and send the test data packet to a specified directory of an HTTP server running on the analog multimedia information center; the target device configuration using the MMS protocol The MMS send and receive settings, the WAP gateway is set to the analog WAP gateway address in the test environment, and the server address is also set to the address of the analog multimedia information service center in the test environment;
所述模拟短消息服务中心用于产生彩信通知消息测试中使用的畸形数据包或彩信通 知消息。  The analog short message service center is configured to generate a malformed data packet or a multimedia message notification message used in the MMS notification message test.
9. 如权利要求 8所述的系统, 其特征在于所述模拟多媒体信息服务中心所在的服务器 为 Apache HTTP服务器, 其中所述 Apache HTTP服务器添加有 MIME类型, 用于 支持 mms扩展名的类型文件; 所述 MMS消息产生器为基于 MMSLib实现的 MMS 消息产生器。 9. The system according to claim 8, wherein the server in which the analog multimedia information service center is located is an Apache HTTP server, wherein the Apache HTTP server is added with a MIME type for supporting a type file of the mms extension; The MMS message generator is an MMS message generator based on the MMSLib implementation.
10. 如权利要求 8所述的系统, 其特征在于所述畸形数据包包括但不限于下列数据包的 一种或几种类型: 整数溢出类型畸形数据包、 超长字符串溢出类型畸形数据包、 特 殊字符异常类型畸形数据包、 格式化字符串类型畸形数据包。 10. The system according to claim 8, wherein the malformed data packet includes but is not limited to one or more of the following types of data packets: integer overflow type malformed data packet, long long string overflow type malformed data packet , special character exception type malformed data packet, formatted string type malformed data packet.
PCT/CN2009/001169 2008-10-28 2009-10-22 Method for excavating multimedia message protocol vulnerability and system thereof WO2010048777A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810224953.0 2008-10-28
CN2008102249530A CN101459876B (en) 2008-10-28 2008-10-28 Multimedia message protocol failing mining method and system thereof

Publications (1)

Publication Number Publication Date
WO2010048777A1 true WO2010048777A1 (en) 2010-05-06

Family

ID=40770446

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/001169 WO2010048777A1 (en) 2008-10-28 2009-10-22 Method for excavating multimedia message protocol vulnerability and system thereof

Country Status (2)

Country Link
CN (1) CN101459876B (en)
WO (1) WO2010048777A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941358A (en) * 2023-01-29 2023-04-07 国家工业信息安全发展研究中心 Vulnerability mining method and device, terminal equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101459876B (en) * 2008-10-28 2011-11-16 中国科学院研究生院 Multimedia message protocol failing mining method and system thereof
CN103533547B (en) * 2012-07-06 2018-06-01 中兴通讯股份有限公司 The hold-up interception method and system of multimedia message

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1730320A (en) * 2005-08-11 2006-02-08 南望信息产业集团有限公司 Electronic safe guard method based on multimedia information applied for automobile
CN1777319A (en) * 2005-12-01 2006-05-24 中国移动通信集团公司 Colour short message center system performance test system and method
CN101146246A (en) * 2006-09-15 2008-03-19 中兴通讯股份有限公司 Multi-media information dialing and testing system and its realization method
CN101459876A (en) * 2008-10-28 2009-06-17 中国科学院研究生院 Multimedia message protocol failing mining method and system thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1730320A (en) * 2005-08-11 2006-02-08 南望信息产业集团有限公司 Electronic safe guard method based on multimedia information applied for automobile
CN1777319A (en) * 2005-12-01 2006-05-24 中国移动通信集团公司 Colour short message center system performance test system and method
CN101146246A (en) * 2006-09-15 2008-03-19 中兴通讯股份有限公司 Multi-media information dialing and testing system and its realization method
CN101459876A (en) * 2008-10-28 2009-06-17 中国科学院研究生院 Multimedia message protocol failing mining method and system thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115941358A (en) * 2023-01-29 2023-04-07 国家工业信息安全发展研究中心 Vulnerability mining method and device, terminal equipment and storage medium

Also Published As

Publication number Publication date
CN101459876A (en) 2009-06-17
CN101459876B (en) 2011-11-16

Similar Documents

Publication Publication Date Title
Volkova et al. Security challenges in control network protocols: A survey
Peng et al. Smartphone malware and its propagation modeling: A survey
Bose et al. On mobile viruses exploiting messaging and bluetooth services
US9456339B1 (en) Mobile device monitoring and tracking system
CN100493094C (en) P2P data message detection method based on character code
US8041303B2 (en) Auto sniffing of carrier performance using reverse round trip time
WO2015018303A1 (en) Method and device for detecting distributed denial of service attack
WO2005074442A2 (en) Method and system associating a signature with a mobile device
WO2006101561A2 (en) Method for signing into a mobile device over a network
Farina et al. Understanding ddos attacks from mobile devices
CN1868153A (en) Methods and apparatus for determining device integrity
Elmangoush et al. Application-derived communication protocol selection in M2M platforms for smart cities
Sălăgean et al. Iot applications based on mqtt protocol
Uroz et al. Characterization and evaluation of IoT protocols for data exfiltration
De Keersmaeker et al. A survey of public IoT datasets for network security research
Xu et al. Hybrid covert channel in LTE-A: modeling and analysis
WO2010048777A1 (en) Method for excavating multimedia message protocol vulnerability and system thereof
Barbera et al. Cdroid: Towards a cloud-integrated mobile operating system
Tas et al. Novel session initiation protocol-based distributed denial-of-service attacks and effective defense strategies
Bose Propagation, detection and containment of mobile malware
Wu et al. IoT network traffic analysis: Opportunities and challenges for forensic investigators?
Chen et al. CloudBot: Advanced mobile botnets using ubiquitous cloud technologies
CN101494654A (en) Method and apparatus for determining server accessibility
Van Tanh et al. The solution to improve information security for IoT networks by combining lightweight encryption protocols
Meyer et al. Denial of service and distributed denial of service-today and tomorrow

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09822970

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09822970

Country of ref document: EP

Kind code of ref document: A1