[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MIUI Wifi Connection Message Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: MIUI Wifi Connection Message Vulnerability
- From: vuln@xxxxxxxxxxx
- Date: Wed, 17 Sep 2014 06:17:11 GMT
MIUI Wifi Connection Message Vulnerability
I. Summary
Wifi Connection Message is written to a NFC tag, which can be touched by a NFC
mobile phone for connecting wireless AP
automatically. A logic flaw has been found in MIUI that is a Android ROM. The
flaw can be used to turn on wifi, with the
help of
"wifihandover"(https://play.google.com/store/apps/details?id=net.endflow.apps.wifiho)
or "NFC Tag
Assistant"(http://app.mi.com/detail/43940).
-----------------------------------------------------------------
II. Description
According to the NFC Wifi Connection Message Specification, construct a message
as follow.
D2 17 45 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76
6E 64 2E 77 66 61 2E 77 73 63 10 4A 00 01 10 10
0E 00 3C 10 26 00 01 01 10 45 00 04 55 43 41 53
10 03 00 02 00 20 10 0F 00 02 00 08 10 27 00 10
5B 0F A0 A8 11 2B 5B EF F0 C2 10 3E D6 91 5C B1
10 20 00 06 88 32 9B 57 F1 CC FF FF 00 01 02
Then write the message to NFC tag. For the reason MIUI 5.30(a Android
ROM)don't process wifi message,"wifihandover" or
"NFC Tag Assistant" should be installed in the tested phone. Touch the NFC tag
with a smart phone with Samsung GT-I9300
(installed with MIUI 5.30, an Android ROM), wifi will be turned on
automatically, regardless of whether wifi connection
succeeds or not.
------------------------------------------------------------------
III. Impact
This bug cause wifi connection turned on automatically
------------------------------------------------------------------
IV. Affected
MIUI 4.1.17/5.30
other versions we don't test.
------------------------------------------------------------------
V. Solution
modify the source codes about Wifi connection message processing strategy.