Whitepaper: From 0 to 0Day on Symbian

Being the most widespread smartphone operating system, Symbian OS is a worthwile target for remote attacks. However, the obscurity of the operating system, combined with restrictions placed on end user devices and a lack of tools, make it very difficult for security researchers to work with Symbian based phones.

The goal of this whitepaper is to show that classic vulnerability analysis and exploitation is possible on Symbian OS smartphones. To this end, a set of methods and tools have been developed, and readily available standard software provided by Symbian has been modified to support debugging of memory mapped execute-in-place ROM. In this paper we will:

1. Show how to statically analyze XIP ROM images (dumping, restoring import export tables, searching for unsafe function calls)
2. Show how to enable run mode debugging of system binaries running from ROM IDA Pro, by patching the AppTRK debug agent
3. Show other of the modified AppTRK. As an example, we will show a fully automated multimedia file fuzzer
4. List and analyze the results of fuzzing the video- and audio codecs shipped with current Nokia smartphones
5. Discuss further ideas and concepts, such as jailbreak shellcode, and an IRC bot trojan for Symbian
   

The paper aims to show that it is possible to find and exploit bugs on Symbian phones (even in preinstalled system applications) without having access to special development hardware, and that exploits and worms similar to those found on desktop systems may be possible on Symbian based smartphones.

-----------------------------

https://www.sec-consult.com/files/SEC_Consult_Vulnerability_Lab_Pwning_Symbian_V1.03_PUBLIC.pdf