lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAH8yC8mDSxpPi9wYi+Eo=rL2VnHBubRJ6ntJAt6r_Z899Ym5aA@mail.gmail.com>
Date: Tue, 19 Mar 2013 19:07:35 -0400
From: Jeffrey Walton <noloader@...il.com>
To: Roberto Paleari <roberto@...yhats.it>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Owning Samsung Android devices

[web page] ...
[web page] Two different vulnerabilities can be exploited
[web page] to silently install highly-privileged applications
[web page] with no user interaction. The privileged
[web page] applications to be installed can be embedded
[web page] right inside the unprivileged application package,
[web page] or downloaded "on the fly" from an on-line
[web page] market.
[web page] Another issue, different from the previous ones,
[web page] allows attackers to send SMS messages without
[web page] requiring any Android privilege (normally,  Android
[web page] applications are required to have the
[web page] android.permission.SEND_SMS permission to
[web page] perform this task).

You might consider getting Android security involved since both appear
to have remediation at the platform level. For example, Google Play
may be able to do something about the first issue since its a trusted
channel and should not be distributing hidden apps with malicious
intent; and a confused deputy might be in play with the second.

Android security can be reached through a well known email address,
and Android Security Discussions
(http://groups.google.com/group/android-security-discuss).

My apologies if the remediations are not available at the platform.
Its tough to discern when folks use Full Disclosure, Bugtraq, et al to
generate traffic and press releases.

Jeff

On Tue, Mar 19, 2013 at 5:20 PM, Roberto Paleari <roberto@...yhats.it> wrote:
> Folks,
>
> I recently found some security vulnerabilities affecting Samsung
> Android phones. The bugs lie in Samsung-specific customizations and
> not in the Android code base.
>
> While waiting for Samsung security patches, I published an overview of
> the issues here:
> http://randomthoughts.greyhats.it/2013/03/owning-samsung-phones-for-fun-but-with.html
>
> Possible consequences are quite interesting, as the vulnerabilities
> allow an *unprivileged* application to perform several nefarious
> tasks, ranging from sending SMS messages to installing APK packages,
> but also including some denial-of-services and info leaks.
>
> I hope I will be able to disclose the technical details soon.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ