lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 22 Oct 2004 14:01:10 +0200
From: Adam Gowdiak <zupa@....poznan.pl>
To: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: J2ME security vulnerabilities



Hello all,

Since I received information from SUN Microsystems that they did not 
plan to release
Sun Alert for the issues I found in their CLDC [1] reference 
implementation, I would
like to announce the following.

I found two very serious security vulnerabilities in Java technology for 
mobile
devices (Java 2 Micro Edition) that might be affecting about 250 
millions [2] of
mobile phones  coming from Nokia, Siemens, Panasonic, Samsung, Motorola 
and others
[3]. Information about these flaws has been published at Hack In the Box 
Security
Conference [4] earlier this month in Kuala Lumpur, Malaysia.

Both vulnerabilities are implementation flaws in bytecode verifier 
component of
KVM (Java Virtual Machine for mobile devices) developed by SUN 
Microsystems. Each
of the flaws can be used to completely break Java security (Java type 
and memory
safety) on a mobile device and to obtain access to the phone data and 
underlying
operating system's functionality.

I verified on my Nokia DCT4 phone that malicious code exploiting one of 
the flaws
can steal data from the phone (i.e. phonebook, SMS messages), establish 
communication
with the Internet, send arbitrary SMS messages, write permanent memory 
of the phone
(FLASH), interfere with or intercept IPC communication occuring between 
native Nokia
OS tasks, install resident code on the phone. Any of the aforementioned 
actions can
be conducted without user knowledge and permission.

I would like to emphasize that although escaping the KVM sandbox and 
breaking Java
type and memory safety is almost straightforward, conducting malicious 
actions on
a given device is rather difficult as it usually requires deep knowledge 
about the
internal operation of the underlying OS (I spent four months reverse 
engineering
Nokia OS before I could do anything malicious from Java appplication on 
my phone).

I plan to release a research paper with all the details about the flaws 
including
device specific information and some additional material that didn’t fit 
into my
HITB talk, in a couple of months (1Q 2005).

Best Regards
Adam Gowdiak

Security Team of
POZNAN SUPERCOMPUTING AND NETWORKING CENTER
http://www.man.poznan.pl

[1] http://java.sun.com/products/cldc/
[2] http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf
[3] http://jal.sun.com/webapps/device/device
[4] http://conference.hackinthebox.org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists