lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2009 10:02:16 +0200
From: Collin Mulliner <>
Subject: Nokia 6212 classic URI spoofing and DoS advisory (original date:
 Dec. 2008)

Vulnerability Report


Manufacturer: Nokia (
Device:       Nokia 6212 Classic
Firmware:     V 05.16, 29-09-08, RM-396
Device Type:  mobile phone
OS:           Nokia Series40

Subsystem: Near Field Communication


Executive Summary:
  URL Spoofing when displaying the content of a NDEF
  URI tag. Web browser does not display full hostname when
  loading a web page.

  Crash of the parser for parts of a NDEF record, reboots
  graphical user interface (GUI) of phone.


Reporter: Collin Mulliner <collin[AT]>


Affiliation: MUlliNER.ORG / the trifinite group


Time line:

  Presented at 25C3          : 29. December 2008
  Reported to vendor         : 01. January  2009
  Received ack.              : 05. January  2009
  Published to mailing lists : 18. June     2009


Brief Technical Details:

  The Nokia 6212 Classic mobile phone is a mobile phone featuring the
  Near Field Communication (NFC) technology (
  The phone has multiple security vulnerabilities in the code that parses
  and displays the content of a NDEF tags and plain URI tags.

  1) URI Spoofing (using plain URI tags)

   Long URLs are short end by removing the end of the URL replacing it
   with "..." (3 dots). This behavior can be abused for spoofing the
   URL that is displayed to the user. This way an attacker can trick
   a user into loading a malicious website. Also the phone does not
   display the URL of the website (URL can be looked up through a menu

   Spoofing works using the classic @ method. Certain characters are
   not allowed before the @ such as: /


    Will be displayed as:

  2) NDEF Record Parser Crash

   The NDEF Record parser crashes if the record payload length field
   contains either 0xFFFFFFFF or 0xFFFFFFFE

   The crash will reboot the GUI of the phone. After 4 reboots in a row
   the phone will switch off completely (e.g. user constantly trying to
   read the tag containing this value).


More Detailed Information:

  More details, slides and tools are available here:

  Security Advisories:


Collin R. Mulliner <>
info/pgp: finger
I'm a .signature virus. Copy me to help me spread.

Powered by blists - more mailing lists