Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

"Remote wipe vulnerability" on Android devices

By: dexymx on Sep 26th, 2012  |  syntax: None  |  size: 3.98 KB  |  views: 961  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. Missing input validation in Android stock dialpad allows initiating special char handling by Intents
  2.  
  3.  --
  4.  
  5. This paste is intended to deliver some thoughts about the "remote wipe vulnerability" on Android devices.
  6.  
  7. The issue is not directly linked to Samsung or TouchWiz UI.
  8. USSD and "phone codes" are not malicious at all.
  9. Manual and intended input of "phone codes" and the resulting effects are no indication of malfunction.
  10. REPEAT: typing "*#06" into your dialer SHOULD display phone's IMEI and "*2767*3855#" is INTENDED to wipe your device.
  11.  
  12. I mention that because there is a huge confusion about the range of affected devices...
  13. And especially because of this video: http://www.youtube.com/watch?v=yuaFMG6VQCI :)
  14.  
  15.  --
  16.  
  17. Description
  18.  
  19. A user can use the phone dialer to call phone numbers or trigger a varying set of actions by entering special chars or char sequences. Depending on used dialer application the set of possible codes and resulting actions is varying. Some common examples are:
  20.  
  21. [phone_number]  dial phone number
  22. *#06#           display IMEI
  23. *61#            activate divert if no reply
  24. *#*#232337#*#   show bluetooth device address
  25. *2767*3855#     factory format device
  26.  
  27. Furthermore the dialpad can be addressed by Intents.
  28.  
  29. A Intent is an abstract object within Android OS to provide a facility for performing runtime binding between the code in different applications. It's most significant use is in launching of activities. Applications within Android send Intents to other applications to perform specific actions. The data to operate on is expressed by an Uniform Resource Identifier.
  30.  
  31. The URI "tel:[phone_number]" targets the phone's dialer application and tries to pass a phone number. Sender could be a browser, QR code scanner, NFC handler, ... or something else.
  32.  
  33. The dialpad receives that Intent and proceeds further depending on implementation, number, code, permissions or source of Intent.
  34.  
  35.  --
  36.  
  37. Vulnerability
  38.  
  39. The stock dialpad or dailers based on stock dialpad application in Android versions prior to Android 4.1.1 release 1.1 (Jul 2012) allow initiating handling by Intents through special chars or sequences without propper validation and rejection. This allows the non intended execution of actions without any input or confirmation by the user.
  40.  
  41. Possible and already used in the wild attack vectors are tricking users to scan QR codes with "tel:[code]" or including iframes with "tel:[code]" as source on websites. Both will pass an Intent to the phone dialer and through the non exsistent input validation this could initiate actions bound to that code.
  42.  
  43. Although the dialpad should accept and handle "tel:[phone_number]" inputs, it should not accept arbitrary code which is not a telephone number as defined in the IETF RFC 3966.
  44.  
  45. Executing USSD codes without confirmation could lead to an unintended device wipe or locking the SIM card by triggering commands in combination with false PINs.
  46.  
  47. The code "*2767*3855#" has been confirmed working on at least some HTC and Samsung phones.
  48.  
  49.  --
  50.  
  51. Prevention and fixes:
  52.  
  53. To avoid this exploit it is recommended to use a Android firmware >= version 4.1.1 release 1.1 or an equivalent custom ROM. It is also possible to use an alternative phone dialer or tools which prevent passing "tel:" URIs.
  54.  
  55. Stop NoTelURL, Joerg Voss
  56. https://play.google.com/store/apps/details?id=com.voss.notelurl
  57.  
  58. Auto-reset blocker, Rusty Burchfield
  59. https://play.google.com/store/apps/details?id=net.gicode.android.autoresetblocker
  60.  
  61.  --
  62.  
  63. More details:
  64.  
  65. http://tools.ietf.org/html/rfc3966
  66. http://developer.android.com/reference/android/content/Intent.html
  67. http://developer.android.com/guide/appendix/g-app-intents.html
  68. https://android.googlesource.com/platform/packages/apps/Contacts/+/39948dc7e34dc2041b801058dada28fedb80c388
  69. https://android.googlesource.com/platform/packages/apps/Contacts/+/1fc1e42b92904472aecc8b99379b1e8c670e5a88
  70. https://android.googlesource.com/platform/packages/apps/Contacts/+/android-4.1.1_r1.1
  71. forum.xda-developers.com/showthread.php?t=1748506