lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 Apr 2012 21:27:59 -0400 From: Jeffrey Walton <noloader@...il.com> To: VSR Advisories <advisories@...curity.com> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: HTC IQRD Android Permission Leakage (CVE-2012-2217) Gotta love it - defective spyware running as a driver or privileged component. It reminds me of that DRM junk Adobe used to distribute (Macrovision). It was a defective Windows driver that exposed users to risk (http://technet.microsoft.com/en-us/security/bulletin/ms07-067). Where are software liability laws when you need them.... (And not the "bride a Congressman so there's no teeth" variety). On Sat, Apr 21, 2012 at 9:16 PM, VSR Advisories <advisories@...curity.com> wrote: > VSR Security Advisory > http://www.vsecurity.com/ > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Advisory Name: HTC IQRD Android Permission Leakage > Release Date: 2012-04-20 > Application: IQRD on HTC Android Phones > Author: Dan Rosenberg <drosenberg (at) vsecurity.com> > Vendor Status: Patch Released > CVE Candidate: CVE-2012-2217 > Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > Product Description > ------------------- > The IQRD service is HTC's implementation of a Carrier IQ porting layer on > several HTC Android phones. Carrier IQ is a data collection framework that may > be deeply integrated into the Android application stack in order to provide > cell carriers with detailed metrics data on device and network activity [1]. > To complete the integration of Carrier IQ on a specific device, phone > manufacturers provide a "porting layer" that allows the Carrier IQ service to > perform specific actions that may vary by device. > > > Vulnerability Details > --------------------- > On December 22th, VSR identified a vulnerability in IQRD. The IQRD service > listens locally on a TCP socket bound to port 2479. This socket is intended to > allow the Carrier IQ service to request device-specific functionality from > IQRD. Unfortunately, there is no restriction or validation on which > applications may request services using this socket. As a result, any > application with the android.permission.INTERNET permission may connect to this > socket and send specially crafted messages in order to perform potentially > malicious actions. > > In particular, it is possible for malicious applications to: > > 1. Trigger UI popup messages > > 2. Generate tones > > 3. Send arbitrary outbound SMS messages that do not appear in a user's > outbox, facilitating toll fraud > > 4. Retrieve a user's Network Access Identifier (NAI) and corresponding > password, potentially allowing rogue devices to impersonate the user > on a CDMA network > > > Versions Affected > ----------------- > The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift > 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on > AT&T. > > > Vendor Response > --------------- > The following timeline details HTC's response to the reported issue: > > 2011-12-22 Vulnerability reported to HTC > 2011-12-28 HTC confirms receipt, replies that fix is planned for early 2012 > 2012-03-10 VSR requests status update > 2012-03-16 HTC confirms fix has been published > 2012-03-26 HTC requests clarification on finding > 2012-03-26 VSR provides clarification on finding, requests confirmation on > status of fix > 2012-04-02 HTC provides confirmation of fix, requests further clarification > 2012-04-02 VSR provides clarification on finding > 2012-04-12 VSR provides draft advisory to HTC > 2012-04-13 HTC provides corrections to advisory, requests disclosure date > 2012-04-20 Coordinated disclosure > > > Recommendation > -------------- > > HTC has issued a fix that will typically be provided as an OTA update by > affected cell carriers. If the update has not automatically been installed, it > is possible to retrieve the update manually by navigating to Menu -> Settings > -> System Updates -> HTC Software Update -> Check Now. > > The following software versions on Sprint are confirmed to resolve this issue: > > HTC EVO 4G: 4.67.651.3 > HTC EVO Design 4G: 2.12.651.5 > HTC EVO Shift 4G: 2.77.651.3 > HTC EVO 3D: 2.17.651.5 > HTC EVO View 4G: 2.23.651.1 > > The following software versions on AT&T are confirmed to resolve this issue: > > HTC Vivid: 3.26.502.56 > > > All affected devices except the HTC Hero have received an over-the-air update. > HTC and Sprint have declined to update the HTC Hero, citing its 2009 release, > minimal current usage, and lack of malicious applications in the Android > Marketplace exploiting this vulnerability. > > Users should be aware that devices that no longer receive updates due to > switching carriers may remain vulnerable. > > > Common Vulnerabilities and Exposures (CVE) Information > ------------------------------------------------------ > The Common Vulnerabilities and Exposures (CVE) project has assigned the number > CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE list > (http://cve.mitre.org), which standardizes names for security problems. > > > Acknowledgements > ---------------- > Thanks to HTC for their response and fix. > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > References: > > 1. Carrier IQ > http://www.carrieriq.com > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > This advisory is distributed for educational purposes only with the sincere > hope that it will help promote public safety. This advisory comes with > absolutely NO WARRANTY; not even the implied warranty of merchantability or > fitness for a particular purpose. Neither Virtual Security Research, LLC nor > the author accepts any liability for any direct, indirect, or consequential > loss or damage arising from use of, or reliance on, this information. > > See the VSR disclosure policy for more information on our responsible disclosure > practices: > http://www.vsecurity.com/company/disclosure > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Copyright 2012 Virtual Security Research, LLC. All rights reserved. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists