[guru] Mobil eszkozok biztonsagi frissitesei
DATE: Tue, 09 Mar 2010 00:56:08 +0100
Az iPhone .mobileconfig állományok könnyen lejuttathatóak az eszközre,
és ezek ellenőrzése sem megfelelő. Tetszőleges kulccsal aláírhatóak,
akár normál aláírásra valók is használhatóak. Ennek segítségével a
támadó már könnyen átveheti a telefon vezérlését.
A Motorola Milestone smartphone MobileSafari Browser(Webkit Engine alapú)
könnyen DoS-olható.
--- Begin Message ---
iPhones can be configured over the air by inviting users to download .mobileconfig files from a URL. This feature is used by large companies and universities to distribute various settings to a large number of iPhones.
For security reasons, these files need to be cryptographically signed to be trusted and shown as such. It appears that there is a flaw in the trust chain used by iPhones to validate .mobileconfig signers. Any signature certificate issued by a root CA present in the Safari keystore will be trusted. This is the case for e.g. demo certificates delivered by Verisign (Level 1) at no cost and without any verification.
Using this, it is easy for a phisher to create a mobileconfig files that re-directs all HTTP traffic to a dedicated server, sign it with a certificate identifying it as issued by an authority of their choice, and having it trusted by the iPhone. These config files also allow to place additional root certificates in an iPhone, making it possible to install man-in-the-middle HTTPS attacks.
More information is available from:
http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/
--- End Message ---
--- Begin Message ---
[MajorSecurity Advisory #65]Motorola Milestone Smartphone Denial of Service
Details
============
Product: Motorola Milestone(Droid) Smartphone
Security-Risk: low
Remote-Exploit: yes
Vendor-URL: http://www.motorola.com/
Vendor-Status: informed
Advisory-Status: published on 02-02-2010
Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info
Affected Products:
============
Motorola Milestone(Droid) smartphone Browser with following useragent:
Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone Build/SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Original Advisory:
============
http://www.majorsecurity.info/index_2.php?adv=major_rls65
Introduction
============
The Motorola Milestone(droid) is a smartphone produced by Motorola based on the android operation system.
More Details
============
A remotely exploitable vulnerability has been found in the JavaScript Engine of the MobileSafari Browser(based on Webkit Engine) used on the Motorola Milestone(droid) smartphone.
In detail, the following flaw was determined:
The Motorola Milestone(Droid) is prone to a denial of service vulnerability when parsing certain HTML content.
This is possible due to a failure in handling exceptional conditions.
This issue is caused by a memory corruption error when handling javascript elements,
which could be exploited by remote attackers to crash the browser by tricking a user into visiting a specially crafted web page.
This issue can NOT be lead to remote code execution, so that the potential security risk is rated low.
The exploit has been tested on a Motorola Milestone(Droid) using following useragent:
Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone Build/SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Proof of Concept:
============
<script>
var overloadtag = "<marquee>";
for(x=1;x<=9999999999999;x++){
document.write(overloadtag);
}
</script>
MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research company which focuses
on web application security. We offer professional penetrationtestings, security audits,
source code reviews and reliable proof of concepts. You will find more Information about MajorSecurity at http://www.majorsecurity.info/
Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact david@majorsecurity.info for permission.
Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall majorsecurity and David Vieira-Kurz IT Security Services be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if majorsecurity has been advised of the possibility of such damages. Copyright 2010 MajorSecurity and David Vieira-Kurz IT Security Services. All rights reserved. Terms of use apply.
--- End Message ---