COMMAND

    WAP

SYSTEMS AFFECTED

    Nokia 7110 Wap Browser

PROBLEM

    Aidan O'Kelly found  following.  The  nokia 7110 wap  browser will
    happily pass form varibles that were entered once to another  site
    later on (in the same session?  Not sure  how long it stores  them
    for).

    The problem  is that  the Nokia  recognises forms  and passes  the
    values it used before to text/password boxes etc.

    So if you had a login form on one website. that had an input  box,
    type=test/password and  name=userid, once  you enter  your userid,
    the nokia  stores it  in a  varible called  $userid.   If the user
    surfs to another site with a text box of the same name it will put
    $userid into it.   Its not hard  to guess what  the varibles  from
    other sites would be called, and its possible to get the phone  to
    submit the form  without ever even  seeing it (using  cards and on
    timer events) so information could be gathered.

    This it applys to the real phone aswell (the phone defintly  fills
    in the values, cant check if  it does it for different hosts,  but
    the 7110 simulator is pretty accurate).

    How to scan?  Configured the WAP GW on your phone (eg. SiemensS35)
    to an  address that  points to  a server  within your network, and
    did a tcpdump  to see what  IP number is  sending requests to  "my
    WAP GW".  (UDP port 9201/2).  This IP number corresponds with your
    cellphone.  Ping it...

    The Nokia has a  TCP stack, and answers  pings.  As said,  you can
    also portscanned  it, and  find bootp  (UDP) open....  No need  to
    scan the  WAP GW   (nmap 2.53beta  with -O  option -  nmap did not
    recognise the OS).

SOLUTION

    Now regarding scanning  phones - as  you have noticed,  it's up to
    mobile operator how to set up  his routing and address space.   In
    one  case  it  could  private  address  space, which is quite good
    choice because  a) you  won't get  scanned or  in any way accessed
    from  outside  Internet  and  b)  there  is  a lot of addresses in
    10.x.x.x network - 2^24=about 16 million per one operator/one  set
    of settings.   In the case  reported above (with  portscanning and
    phone hanged) the problem was that mobile operator simply assigned
    public IP addresses to its WAP clients - very unwise solution...