SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (VoIP/Phone/FAX)  >   Google Android Vendors:   Google
Google Android SMS and Dalvik API Bugs Let Remote Users Deny Service
SecurityTracker Alert ID:  1022986
SecurityTracker URL:  http://securitytracker.com/id/1022986
CVE Reference:   CVE-2009-2999   (Links to External Site)
Date:  Oct 6 2009
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Google Android. A remote user can cause denial of service conditions.

A remote user can send a specially crafted SMS WAP Push message to cause the target device to disconnect from the network and restart [CVE-2009-2999].

A remote user can create an application that, when downloaded and executed by the target user, will exploit flaws in the Dalvik API to cause the target device to restart.

Charlie Miller and Collin Mulliner reported the SMS vulnerability.

Emmanouel Kellinis of KPMG London reported the Dalvik API vulnerability.

The original advisory is available at:

http://www.ocert.org/advisories/ocert-2009-014.html

Impact:   A remote user can cause the target device to reload.
Solution:   The vendor has issued a fix.

The source code fixes are available at:

http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=46e23fe762d2143d60589ab6d39c4b47c2c754d1

http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=cf4550c3198d6b3d92cdc52707fe70d7cc0caa9f

Vendor URL:  www.google.com/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Mon, 5 Oct 2009 13:53:38 +0100
Subject:  [oCERT-2009-014] Android denial-of-service issues


#2009-014 Android denial-of-service issues

Description:

Android, an open source mobile phone platform, is affected by two bugs
that lead to denial-of-service (DoS) conditions.

Two separate DoS issues have been independently reported to oCERT.

The most recent report concerns Android handling of SMS messages: a
specific malformed SMS message can be crafted to trigger a condition that
disconnects the mobile phone from the cellular network. The malformed SMS
message consists of a badly formatted WAP Push message which causes an
Java ArrayIndexOutOfBoundsException in the phone application
(android.com.phone).

The phone application silently restarts without user awareness, this leads
to a temporary loss of connectivity (as well as dropping of current calls,
if any) which can be prolonged in case the phone SIM is protected by PIN,
due to required PIN re-entry and the need for user attention. Triggering
this bug (repeatedly in case no PIN is present) is considered a remote DoS
condition.

The second report addresses a number of issues discovered in the Android's
Dalvik API, one of them has been classified by the Android team as a DoS
vulnerability which leads to restarting the system process.

A specific malicious application can be crafted so that if it is
downloaded and executed by the user, it would trigger the vulnerable API
function and restart the system process. The same condition could occur if
a developer unintentionally places the vulnerable function in a place
where the execution path leads to that function call. Triggering this bug
is considered a DoS condition.

All the reported issues have been patched.

Affected version:

Malformed SMS DoS:
Android all 1.5 CRBxx versions (where xx are digits)

Dalvik API DoS:
Android <= 1.5

Fixed version:

Malformed SMS DoS:
Android 1.5 CBDxx, CRCxx and COCxx (where xx are digits)

Dalvik API DoS:
Android >= Donut DRC79

Credit: Charlie Miller, Collin Mulliner (malformed SMS DoS). Emmanouel
        Kellinis, KPMG London (Dalvik API DoS).

CVE: CVE-2009-2999 (malformed SMS DoS)

Timeline:

Malformed SMS DoS:
2009-06-19: reporters send report to Android Security team
2009-07-16: Android Security team releases patch to Android users
2009-07-30: Android Security team publicly release patch to open source
            Android
2009-08-27: Android Security Team, on behalf of Collin Mulliner, requests
            assistance from oCERT
2009-08-27: assigned CVE
2009-10-05: advisory release

Dalvik API DoS:
2009-04-24: vulnerability report received
2009-04-24: contacted Android Security team
2009-05-05: Android Security team indicates that most of the bugs are not
            considered security issues but rather stability ones
2009-05-19: reporter provides two additional bugs
2009-05-27: reporter and oCERT provide attack vectors and comments
2009-06-03: Android Security team agrees that one issue has a security
            impact, does not oppose to advisory release
2009-06-11: Android Security team indicates that all issues will be fixed
            in Donut release
2009-07-21: patch commited to open source Android repository
2009-10-01: Donut released to users
2009-10-05: advisory release

References:

Malformed SMS DoS:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=46e23fe762d2143d60589ab6d39c4b47c2c754d1

Dalvik API DoS:
http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=cf4550c3198d6b3d92cdc52707fe70d7cc0caa9f

Permalink:
http://www.ocert.org/advisories/ocert-2009-014.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC