Re: HTC IQRD Android Permission Leakage (CVE-2012-2217)

[Jason Hellenthal <jhellenthal () dataix net>]

On Sat, Apr 21, 2012 at 09:27:59PM -0400, Jeffrey Walton wrote:
> Gotta love it - defective spyware running as a driver or privileged
> component. It reminds me of that DRM junk Adobe used to distribute
> (Macrovision). It was a defective Windows driver that exposed users to
> risk (http://technet.microsoft.com/en-us/security/bulletin/ms07-067).
>
> Where are software liability laws when you need them.... (And not the
> "bride a Congressman so there's no teeth" variety).

Someone getting married! ;-)

> On Sat, Apr 21, 2012 at 9:16 PM, VSR Advisories
> <advisories () vsecurity com> wrote:
> >                         VSR Security Advisory
> >                       http://www.vsecurity.com/
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
> > Advisory Name: HTC IQRD Android Permission Leakage
> >  Release Date: 2012-04-20
> >  Application: IQRD on HTC Android Phones
> >       Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
> > Vendor Status: Patch Released
> > CVE Candidate: CVE-2012-2217
> >    Reference: http://www.vsecurity.com/resources/advisory/20120420-1/
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
> >
> > Product Description
> > -------------------
> > The IQRD service is HTC's implementation of a Carrier IQ porting layer on
> > several HTC Android phones.  Carrier IQ is a data collection framework that may
> > be deeply integrated into the Android application stack in order to provide
> > cell carriers with detailed metrics data on device and network activity [1].
> > To complete the integration of Carrier IQ on a specific device, phone
> > manufacturers provide a "porting layer" that allows the Carrier IQ service to
> > perform specific actions that may vary by device.
> >
> >
> > Vulnerability Details
> > ---------------------
> > On December 22th, VSR identified a vulnerability in IQRD.  The IQRD service
> > listens locally on a TCP socket bound to port 2479.  This socket is intended to
> > allow the Carrier IQ service to request device-specific functionality from
> > IQRD.  Unfortunately, there is no restriction or validation on which
> > applications may request services using this socket.  As a result, any
> > application with the android.permission.INTERNET permission may connect to this
> > socket and send specially crafted messages in order to perform potentially
> > malicious actions.
> >
> > In particular, it is possible for malicious applications to:
> >
> >    1. Trigger UI popup messages
> >
> >    2. Generate tones
> >
> >    3. Send arbitrary outbound SMS messages that do not appear in a user's
> >       outbox, facilitating toll fraud
> >
> >    4. Retrieve a user's Network Access Identifier (NAI) and corresponding
> >       password, potentially allowing rogue devices to impersonate the user
> >       on a CDMA network
> >
> >
> > Versions Affected
> > -----------------
> > The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO Shift
> > 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid on
> > AT&T.
> >
> >
> > Vendor Response
> > ---------------
> > The following timeline details HTC's response to the reported issue:
> >
> > 2011-12-22    Vulnerability reported to HTC
> > 2011-12-28    HTC confirms receipt, replies that fix is planned for early 2012
> > 2012-03-10    VSR requests status update
> > 2012-03-16    HTC confirms fix has been published
> > 2012-03-26    HTC requests clarification on finding
> > 2012-03-26    VSR provides clarification on finding, requests confirmation on
> >              status of fix
> > 2012-04-02    HTC provides confirmation of fix, requests further clarification
> > 2012-04-02    VSR provides clarification on finding
> > 2012-04-12    VSR provides draft advisory to HTC
> > 2012-04-13    HTC provides corrections to advisory, requests disclosure date
> > 2012-04-20    Coordinated disclosure
> >
> >
> > Recommendation
> > --------------
> >
> > HTC has issued a fix that will typically be provided as an OTA update by
> > affected cell carriers.  If the update has not automatically been installed, it
> > is possible to retrieve the update manually by navigating to Menu -> Settings
> > -> System Updates -> HTC Software Update -> Check Now.
> >
> > The following software versions on Sprint are confirmed to resolve this issue:
> >
> > HTC EVO 4G:             4.67.651.3
> > HTC EVO Design 4G:      2.12.651.5
> > HTC EVO Shift 4G:       2.77.651.3
> > HTC EVO 3D:             2.17.651.5
> > HTC EVO View 4G:        2.23.651.1
> >
> > The following software versions on AT&T are confirmed to resolve this issue:
> >
> > HTC Vivid:              3.26.502.56
> >
> >
> > All affected devices except the HTC Hero have received an over-the-air update.
> > HTC and Sprint have declined to update the HTC Hero, citing its 2009 release,
> > minimal current usage, and lack of malicious applications in the Android
> > Marketplace exploiting this vulnerability.
> >
> > Users should be aware that devices that no longer receive updates due to
> > switching carriers may remain vulnerable.
> >
> >
> > Common Vulnerabilities and Exposures (CVE) Information
> > ------------------------------------------------------
> > The Common Vulnerabilities and Exposures (CVE) project has assigned the number
> > CVE-2012-2217 to this issue.  This is a candidate for inclusion in the CVE list
> > (http://cve.mitre.org), which standardizes names for security problems.
> >
> >
> > Acknowledgements
> > ----------------
> > Thanks to HTC for their response and fix.
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
> > References:
> >
> > 1. Carrier IQ
> >   http://www.carrieriq.com
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >
> > This advisory is distributed for educational purposes only with the sincere
> > hope that it will help promote public safety.  This advisory comes with
> > absolutely NO WARRANTY; not even the implied warranty of merchantability or
> > fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
> > the author accepts any liability for any direct, indirect, or consequential
> > loss or damage arising from use of, or reliance on, this information.
> >
> > See the VSR disclosure policy for more information on our responsible disclosure
> > practices:
> >  http://www.vsecurity.com/company/disclosure
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >     Copyright 2012 Virtual Security Research, LLC.  All rights reserved.
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-- 

 - (2^(N-1))

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/