[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MajorSecurity Advisory #65]Motorola Milestone Smartphone Denial of Service



[MajorSecurity Advisory #65]Motorola Milestone Smartphone Denial of Service

Details
============
Product: Motorola Milestone(Droid) Smartphone
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.motorola.com/
Vendor-Status: informed
Advisory-Status: published on 02-02-2010

Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info

Affected Products:
============
Motorola Milestone(Droid) smartphone Browser with following useragent:
Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone Build/SHOLS_U2_01.03.1) 
AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17

Original Advisory:
============
http://www.majorsecurity.info/index_2.php?adv=major_rls65

Introduction
============
The Motorola Milestone(droid) is a smartphone produced by Motorola based on the 
android operation system.

More Details
============
A remotely exploitable vulnerability has been found in the JavaScript Engine of 
the MobileSafari Browser(based on Webkit Engine) used on the Motorola 
Milestone(droid) smartphone.
In detail, the following flaw was determined:
The Motorola Milestone(Droid) is prone to a denial of service vulnerability 
when parsing certain HTML content. 
This is possible due to a failure in handling exceptional conditions.
This issue is caused by a memory corruption error when handling javascript 
elements,
which could be exploited by remote attackers to crash the browser by tricking a 
user into visiting a specially crafted web page.
This issue can NOT be lead to remote code execution, so that the potential 
security risk is rated low.

The exploit has been tested on a Motorola Milestone(Droid) using following 
useragent:

Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone Build/SHOLS_U2_01.03.1) 
AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17

Proof of Concept:
============
   <script>
    var overloadtag = "<marquee>";
    for(x=1;x<=9999999999999;x++){
      document.write(overloadtag);
    }
   &lt;/script&gt;

MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research company 
which focuses
on web application security. We offer professional penetrationtestings, 
security audits,
source code reviews and reliable proof of concepts. You will find more 
Information about MajorSecurity at http://www.majorsecurity.info/
Unaltered electronic reproduction of this advisory is permitted. For all other 
reproduction or publication, in printing or otherwise, contact 
david@xxxxxxxxxxxxxxxxxx for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition. All 
warranties are excluded. In no event shall majorsecurity and David Vieira-Kurz 
IT Security Services be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages, even if majorsecurity has been advised of the possibility of such 
damages. Copyright 2010 MajorSecurity and David Vieira-Kurz IT Security 
Services. All rights reserved. Terms of use apply.