lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1246871305.2737.39.camel@b4byl0n>
Date: Mon, 6 Jul 2009 11:08:25 +0200
From: Bernhard Mueller <research@...-consult.com>
To: Bugtraq <bugtraq@...urityfocus.com>,
	Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Pwning Nokia phones (and other Symbian based smartphones)

Hello,

I'll just leave this here ;)

https://www.sec-consult.com/files/SEC_Consult_Vulnerability_Lab_Pwning_Symbian_V1.03_PUBLIC.pdf

Abstract:

1. Perform static analysis of XIP ROM images (dumping, restoring import
and export tables, searching for unsafe function calls)
2. Enable run mode debugging of system binaries running from ROM, by
cracking the AppTRK debug agent
3. (Ab-)use the AppTRK debug agent as a foundation for dynamic
vulnerability analysis
3. Build an exemplary file fuzzer for the video- and audio codecs
shipped with current Nokia smartphones
4. List and briefly analyze the identified bugs
5. Discuss further ideas and concepts, such as jailbreak shellcode, and
an IRC bot trojan for Symbian

We aim to show that it is possible to find and exploit bugs on Symbian
smartphones, even in preinstalled system applications, without having
access to special development hardware, and that exploits and worms
similar to those found on desktop systems may be possible on Symbian.
The bugs listed in this paper have been sent to Nokia and are currently
under review. Mobile phone manufacturers should be aware that remote
vulnerabilities of the kind discussed in this paper could be used in
targeted attacks to remotely compromise a smartphone (track GPS, turn on
mic, etc.), or as a means of propagation for mobile network worms.

-- 
_________________________________________

Bernhard Mueller
Security Consultant

SEC Consult Unternehmensberatung GmbH
www.sec-consult.com

A-1190 Vienna, Mooslackengasse 17
phone     +43 1 8903043 34
fax       +43 1 8903043 15
mobile    +43 676 840301 718
email     b.mueller@...-consult.com

Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223
Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt

Advisor for your information security.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ