RE: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS

From: Paul Kurczaba (seclists_at_securinews.com)
Date: 01/24/05

  • Next message: Thierry Zoller: "Re: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS" 
    To: <rohit@kritikalsolutions.com>, <bugtraq@securityfocus.com>, <full-disclosure@lists.netsys.com>
Date: Mon, 24 Jan 2005 14:42:50 -0500

    Wouldn't the phone try to open the jpg file as a picture, and not execute
    it. Just like on desktop PCs: if you rename a .exe (application/program) to
    a jpg (picture file), and try to open the file, your image program will open
    the file, thinking it is a image file. The application code will not be
    executed.

    -----Original Message-----
    From: full-disclosure-bounces@lists.netsys.com
    [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf Of
    rohit@kritikalsolutions.com
    Sent: Monday, January 24, 2005 12:01 AM
    To: bugtraq@securityfocus.com; full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] 2 vulnerabilities combine to auto execute
    received files in Nokia series 60 OS

    Hi,
     I forwarded this bug to Nokia security group, they believe it is a feature
    and not a bug. Whats your opinion?
    >>>
    1. By default, executable files cannot be transferred (many mobile game
    companies probably earn their bread because games are not transferrable from
    one phone to the next). But if you rename the file (install file) to any
    extension such as jpg or an unknown extension, it can be transferred!
    So if i need to transfer a virus, all i need to do is rename the file to
    some jpg extension and and transfer it!

    2. When series 60 OS receives such a file, it executes it immediately. For
    example, in case a MMS message comes with a picture or an installer
    attachment, Nokia would immediately start running the attachment. This is a
    major design flaw.
    Imagine a virus, renamed as a .jpg (mobile wall paper) is downloaded by
    users on p2p networks or from a website or can come from a friend. Virus
    installs itself and than shows a jpg file, so user does not suspect
    anything, while he is now infected. This is than sent to everyone in the
    address book, who again just see the wall paper after a prompt, while the
    virus has installed itself.

    The first problem can be used to exchange mobile games and ring tones for
    free. When you try to transfer the same without renaming, the OS does not
    allow transferring them.
    Thanks
    Rohit Dube
    New Delhi.

    Nokia response to both the problems follows:

    Hi Rohit,

    Sorry for the delay answering back to you.

    About your findings, the first one with sending files after changing the
    extension is a known limitation of the current implementation. We also
    implement OMA DRM 2 which will work as expected in such situations.

    The second one is also know feature, the file type is not determinated from
    the extension but from the content of the file. So a sis package renamed to
    an jpeg file still looks from the inside as a sis package and so the user is
    prompted for installation.

    Thank you again for your report.

    tatu

    > -----Original Message-----
    > From: ext rohit@kritikalsolutions.com
    > [mailto:rohit@kritikalsolutions.com]
    > Sent: Tuesday, January 18, 2005 04:17
    > To: Mannisto Tatu (Nokia-TP-PST/Tampere); Ahlberg Janne
    > (Nokia-M/Tampere)
    > Subject: RE: series 60 os auto executes files
    >
    >
    > Hi Tatu, Janne,
    > Any information on this vulnerability? Can you please confirm your
    > findings and send me an update on when should I/we disclose it?
    > Thanks
    > Rohit
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Thierry Zoller: "Re: [Full-Disclosure] 2 vulnerabilities combine to auto execute received files in Nokia series 60 OS"

    Relevant Pages

    • Re: Renaming pics?
      ... You do not need to add it depending on how you rename. ... click on the Views icon and select Details to display file ... Scroll down and remove the check in the box "Hide Extension ...." ... You will now see the .jpg added to your file name. ...
      (microsoft.public.windowsxp.photos)
    • Re: File extension info in Properties
      ... Gerry, when I select a file and hit F2, or right-click and select "Rename," ... unusuable if I change the file name or extension. ... Enquire, plan and execute ... Properties window, it is actually better--I don't even have to ...
      (microsoft.public.windowsxp.general)
    • Re: need file extensions in caps
      ... XP does not care if it is uppercase, ... Change the jpg extension to JPG. ... Right click the file or folder you want to rename. ...
      (microsoft.public.windowsxp.general)
    • Re: Renaming pics?
      ... click on the Views icon and select Details to display file ... Scroll down and remove the check in the box "Hide Extension ...." ... You will now see the .jpg added to your file name. ... You rename Filename to Filename1. ...
      (microsoft.public.windowsxp.photos)
    • Re: File extension info in Properties
      ... When you select rename the system highlights the name including extension so ... Enquire, plan and execute ... Properties window, it is actually better--I don't even have to ...
      (microsoft.public.windowsxp.general)