full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Nokia 6131 NFC URI/URL Spo

[Full-disclosure] Nokia 6131 NFC URI/URL Spoofing and DoS Advisory

From: Collin R. Mulliner <collin_at_nospam>
Date: Sat Aug 16 2008 - 17:16:14 GMT
To: Full Disclosure <Full-Disclosure@lists.grok.org.uk>


Vulnerability Report

  • BEGIN ADVISORY ---
Manufacturer: Nokia (www.nokia.com) Device: Nokia 6131 NFC Firmware: V 05.12, 19-09-07, RM-216 Device Type: mobile phone OS: Symbian Series40

Subsystem: Near Field Communication


Executive Summary:
 URI/URL Spoofing when displaying the content of a NDEF Smart Poster  and plain URI tag. Web browser does not display full hostname when  loading a web page.   

 Crash of the parser for various parts of NDEF records, reboots  graphical user interface (GUI) of phone.


Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>


Affiliation: Fraunhofer SIT / MUlliNER.ORG / the trifinite group


Time line: Reported to vendor : 27. March 2008 Received ack. : 28. March 2008 Presented at EuSecWest2008 : 21. May 2008 Received further feedback : 04. July 2008 Published to mailing lists : 16. August 2008
-----------------------------

Fix:

 The first device without the reported vulnerabilities will be the  Nokia 6212 Classic NFC mobile phone.


Brief Technical Details:

 The Nokia 6131 NFC mobile phone is a mobile phone featuring the Near  Field Communication (NFC) technology (http://www.nfc-forum.org). The  phone has multiple security vulnerabilities in the code that parses and  displays the content of a NDEF Smart Poster and a plain URI tag.  

  1. NDEF Smart Poster URI Spoofing

 The NDEF Smart Poster displays a URI together with a descriptive text.  The URI can be a URL (http,https,ftp,...) or can point to a phone  number (tel:) or to a short message (sms:).  

 The vulnerability: the phone concatenates the descriptive text and the   URI. The URI might not be displayed if the the descriptive text   already uses the available space to display both information. Further   the descriptive text can contain text that reassembles a URI.   Therefore a user can be tricked into opening/activating a different   URI than he expects. This can lead to monetary damage.   

  There is no visual indication of which part is text and which part is   the URI.  

 1.1.1) URL Spoofing  

  Descriptive text: Bank online with Happy Bank and Trust https://www.happybankandtrust.com URI: http://westealallyourmoney.com

  User will believe he is accessing https://www.happybankandtrust.com   but he actually will load http://westealallyourmoney.com.      

 1.1.2) URL Spoofing surviving a quick check  

  Descriptive text:
   http:\\www.nokia.com\r\r\rAddress:\rhttp:\\www.nokia.com\r\r\r\r\r.   

  URI: http://www.mulliner.org   

  The user will be see "http://www.nokia.com" in main screen, if he   presses "Show" he will see:   

    Title:
    http://www.nokia.com   

    Address:
    http://www.nokia.com   

 1.2) Telephone URI Spoofing  

  Descriptive text:
   Tourist Information\r080012345678\r\r\r\r\r\r\r\r\r\r.   

  URI: tel:19006661666   

  The user will believe this is a free call but will actually call   1900...     

 1.3) SMS URI Spoofing   

  Descriptive text: Get todays weather forecast\r08005551234   

  URI: sms:33333?body=tone1   

  The user will believe the SMS is for free but he will actually send a   message to a premium rate number.      

 2) Plain URI Spoofing  

  Spoofing using the classic @ method.   

  URI:
   http://wap.somebank.com\wap\login&where=ccinfo@\r\r...\r\r_at_badguy.net    

  Notice: some characters are not allowed before the @ these are:    / and ? the user will probably not notice.    

 3) NDEF Record Parser Crash  

  The NDEF Record parser crashes if the record payload length field   contains either 0xFFFFFFFF or 0xFFFFFFFE   

  The crash will reboot the GUI of the phone. After 4 reboots in a row   the phone will switch off completely (e.g. user constantly trying to   read the tag containing this value).      

 4) NDEF Tel/SMS Handler Crash  

  The handler for the sms and tel URI crashes when encountering a   phone number of exactly 124 characters.   

  Examples:
   tel:<124 characters> and sms:<124 characters>    

  Best guess is a off-by-one bug since shorter numbers work and longer   numbers produce an error message.   

  The crash will reboot the GUI of the phone. After 4 reboots in a row   the phone will switch off completely (e.g. user constantly trying to   read the tag containing this value).     


More Detailed Information:

 More details, slides and tools are available here:   http://www.mulliner.org/nfc/  

  • END ADVISORY ---

--

Collin R. Mulliner <collin@betaversion.net> BETAVERSiON Systems [www.betaversion.net] info/pgp: finger collin@betaversion.net
Don't ask me! I don't use windoze!

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/