lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Jun 2009 10:02:16 +0200 From: Collin Mulliner <collin@...aversion.net> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Nokia 6212 classic URI spoofing and DoS advisory (original date: Dec. 2008) Vulnerability Report --- BEGIN ADVISORY --- Manufacturer: Nokia (www.nokia.com) Device: Nokia 6212 Classic Firmware: V 05.16, 29-09-08, RM-396 Device Type: mobile phone OS: Nokia Series40 Subsystem: Near Field Communication ----------------------------- Executive Summary: URL Spoofing when displaying the content of a NDEF URI tag. Web browser does not display full hostname when loading a web page. Crash of the parser for parts of a NDEF record, reboots graphical user interface (GUI) of phone. ----------------------------- Reporter: Collin Mulliner <collin[AT]mulliner.org> ----------------------------- Affiliation: MUlliNER.ORG / the trifinite group ----------------------------- Time line: Presented at 25C3 : 29. December 2008 Reported to vendor : 01. January 2009 Received ack. : 05. January 2009 Published to mailing lists : 18. June 2009 ----------------------------- Brief Technical Details: The Nokia 6212 Classic mobile phone is a mobile phone featuring the Near Field Communication (NFC) technology (http://www.nfc-forum.org). The phone has multiple security vulnerabilities in the code that parses and displays the content of a NDEF tags and plain URI tags. 1) URI Spoofing (using plain URI tags) Long URLs are short end by removing the end of the URL replacing it with "..." (3 dots). This behavior can be abused for spoofing the URL that is displayed to the user. This way an attacker can trick a user into loading a malicious website. Also the phone does not display the URL of the website (URL can be looked up through a menu option). Spoofing works using the classic @ method. Certain characters are not allowed before the @ such as: / Example: http://www.example.com......@...liner.org:6666 Will be displayed as: http://www.example.com.... 2) NDEF Record Parser Crash The NDEF Record parser crashes if the record payload length field contains either 0xFFFFFFFF or 0xFFFFFFFE The crash will reboot the GUI of the phone. After 4 reboots in a row the phone will switch off completely (e.g. user constantly trying to read the tag containing this value). ----------------------------- More Detailed Information: More details, slides and tools are available here: http://www.mulliner.org/nfc/ Security Advisories: http://mulliner.org/security/advisories/ --- END ADVISORY --- -- Collin R. Mulliner <collin@...aversion.net> info/pgp: finger collin@...aversion.net I'm a .signature virus. Copy me to help me spread. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists