lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200501241943.j0OJh0rs021207@lists.netsys.com>
From: seclists at securinews.com (Paul Kurczaba)
Subject: 2 vulnerabilities combine to auto execute
	received files in Nokia series 60 OS

Wouldn't the phone try to open the jpg file as a picture, and not execute
it. Just like on desktop PCs: if you rename a .exe (application/program) to
a jpg (picture file), and try to open the file, your image program will open
the file, thinking it is a image file. The application code will not be
executed.

-----Original Message-----
From: full-disclosure-bounces@...ts.netsys.com
[mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf Of
rohit@...tikalsolutions.com
Sent: Monday, January 24, 2005 12:01 AM
To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] 2 vulnerabilities combine to auto execute
received files in Nokia series 60 OS

Hi,
 I forwarded this bug to Nokia security group, they believe it is a feature
and not a bug. Whats your opinion?
>>>
1. By default, executable files cannot be transferred (many mobile game
companies probably earn their bread because games are not transferrable from
one phone to the next). But if you rename the file (install file) to any
extension such as jpg or an unknown extension, it can be transferred!
So if i need to transfer a virus, all i need to do is rename the file to
some jpg extension and and transfer it!

2. When series 60 OS receives such a file, it executes it immediately. For
example, in case a MMS message comes with a picture or an installer
attachment, Nokia would immediately start running the attachment. This is a
major design flaw.
Imagine a virus, renamed as a .jpg (mobile wall paper) is downloaded by
users on p2p networks or from a website or can come from a friend. Virus
installs  itself and than shows a jpg file, so user does not suspect
anything, while he is now infected. This is than sent to everyone in the
address book, who again just see the wall paper after a prompt, while the
virus has installed itself.

The first problem can be used to exchange mobile games and ring tones for
free. When you try to transfer the same without renaming, the OS does not
allow transferring them.
Thanks
Rohit Dube
New Delhi.

Nokia response to both the problems follows:

Hi Rohit,

Sorry for the delay answering back to you.

About your findings, the first one with sending files after changing the
extension is a known limitation of the current implementation. We also
implement OMA DRM 2 which will work as expected in such situations.

The second one is also know feature, the file type is not determinated from
the extension but from the content of the file. So a sis package renamed to
an jpeg file still looks from the inside as a sis package and so the user is
prompted for installation.


Thank you again for your report.

tatu


> -----Original Message-----
> From: ext rohit@...tikalsolutions.com
> [mailto:rohit@...tikalsolutions.com]
> Sent: Tuesday, January 18, 2005 04:17
> To: Mannisto Tatu (Nokia-TP-PST/Tampere); Ahlberg Janne
> (Nokia-M/Tampere)
> Subject: RE: series 60 os auto executes files
>
>
> Hi Tatu, Janne,
>  Any information on this vulnerability? Can you please confirm your 
> findings and send me an update on when should I/we disclose it?
> Thanks
> Rohit
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ