lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Apr 2012 21:27:59 -0400
From: Jeffrey Walton <noloader@...il.com>
To: VSR Advisories <advisories@...curity.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: HTC IQRD Android Permission Leakage
	(CVE-2012-2217)

Gotta love it - defective spyware running as a driver or privileged
component. It reminds me of that DRM junk Adobe used to distribute
(Macrovision). It was a defective Windows driver that exposed users to
risk (http://technet.microsoft.com/en-us/security/bulletin/ms07-067).

Where are software liability laws when you need them.... (And not the
"bride a Congressman so there's no teeth" variety).

On Sat, Apr 21, 2012 at 9:16 PM, VSR Advisories
<advisories@...curity.com> wrote:
>                         VSR Security Advisory
>                       http://www.vsecurity.com/
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Advisory Name: HTC IQRD Android Permission Leakage
>  Release Date: 2012-04-20
>  Application: IQRD on HTC Android Phones
>       Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
> Vendor Status: Patch Released
> CVE Candidate: CVE-2012-2217
>    Reference: http://www.vsecurity.com/resources/advisory/20120420-1/
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> Product Description
> -------------------
> The IQRD service is HTC's implementation of a Carrier IQ porting layer on
> several HTC Android phones.  Carrier IQ is a data collection framework that may
> be deeply integrated into the Android application stack in order to provide
> cell carriers with detailed metrics data on device and network activity [1].
> To complete the integration of Carrier IQ on a specific device, phone
> manufacturers provide a "porting layer" that allows the Carrier IQ service to
> perform specific actions that may vary by device.
>
>
> Vulnerability Details
> ---------------------
> On December 22th, VSR identified a vulnerability in IQRD.  The IQRD service
> listens locally on a TCP socket bound to port 2479.  This socket is intended to
> allow the Carrier IQ service to request device-specific functionality from
> IQRD.  Unfortunately, there is no restriction or validation on which
> applications may request services using this socket.  As a result, any
> application with the android.permission.INTERNET permission may connect to this
> socket and send specially crafted messages in order to perform potentially
> malicious actions.
>
> In particular, it is possible for malicious applications to:
>
>    1. Trigger UI popup messages
>
>    2. Generate tones
>
>    3. Send arbitrary outbound SMS messages that do not appear in a user's
>       outbox, facilitating toll fraud
>
>    4. Retrieve a user's Network Access Identifier (NAI) and corresponding
>       password, potentially allowing rogue devices to impersonate the user
>       on a CDMA network
>
>
> Versions Affected
> -----------------
> The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift
> 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on
> AT&T.
>
>
> Vendor Response
> ---------------
> The following timeline details HTC's response to the reported issue:
>
> 2011-12-22    Vulnerability reported to HTC
> 2011-12-28    HTC confirms receipt, replies that fix is planned for early 2012
> 2012-03-10    VSR requests status update
> 2012-03-16    HTC confirms fix has been published
> 2012-03-26    HTC requests clarification on finding
> 2012-03-26    VSR provides clarification on finding, requests confirmation on
>              status of fix
> 2012-04-02    HTC provides confirmation of fix, requests further clarification
> 2012-04-02    VSR provides clarification on finding
> 2012-04-12    VSR provides draft advisory to HTC
> 2012-04-13    HTC provides corrections to advisory, requests disclosure date
> 2012-04-20    Coordinated disclosure
>
>
> Recommendation
> --------------
>
> HTC has issued a fix that will typically be provided as an OTA update by
> affected cell carriers.  If the update has not automatically been installed, it
> is possible to retrieve the update manually by navigating to Menu -> Settings
> -> System Updates -> HTC Software Update -> Check Now.
>
> The following software versions on Sprint are confirmed to resolve this issue:
>
> HTC EVO 4G:             4.67.651.3
> HTC EVO Design 4G:      2.12.651.5
> HTC EVO Shift 4G:       2.77.651.3
> HTC EVO 3D:             2.17.651.5
> HTC EVO View 4G:        2.23.651.1
>
> The following software versions on AT&T are confirmed to resolve this issue:
>
> HTC Vivid:              3.26.502.56
>
>
> All affected devices except the HTC Hero have received an over-the-air update.
> HTC and Sprint have declined to update the HTC Hero, citing its 2009 release,
> minimal current usage, and lack of malicious applications in the Android
> Marketplace exploiting this vulnerability.
>
> Users should be aware that devices that no longer receive updates due to
> switching carriers may remain vulnerable.
>
>
> Common Vulnerabilities and Exposures (CVE) Information
> ------------------------------------------------------
> The Common Vulnerabilities and Exposures (CVE) project has assigned the number
> CVE-2012-2217 to this issue.  This is a candidate for inclusion in the CVE list
> (http://cve.mitre.org), which standardizes names for security problems.
>
>
> Acknowledgements
> ----------------
> Thanks to HTC for their response and fix.
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> References:
>
> 1. Carrier IQ
>   http://www.carrieriq.com
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> This advisory is distributed for educational purposes only with the sincere
> hope that it will help promote public safety.  This advisory comes with
> absolutely NO WARRANTY; not even the implied warranty of merchantability or
> fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
> the author accepts any liability for any direct, indirect, or consequential
> loss or damage arising from use of, or reliance on, this information.
>
> See the VSR disclosure policy for more information on our responsible disclosure
> practices:
>  http://www.vsecurity.com/company/disclosure
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>     Copyright 2012 Virtual Security Research, LLC.  All rights reserved.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ