Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Nokia 6212 classic URI spoofing and DoS advisory (original date: Dec. 2008)

From: Collin Mulliner <collin () betaversion net>
Date: Thu, 18 Jun 2009 10:02:16 +0200
Vulnerability Report

--- BEGIN ADVISORY ---

Manufacturer: Nokia (www.nokia.com)
Device:       Nokia 6212 Classic
Firmware:     V 05.16, 29-09-08, RM-396
Device Type:  mobile phone
OS:           Nokia Series40

Subsystem: Near Field Communication

-----------------------------

Executive Summary:
 URL Spoofing when displaying the content of a NDEF
 URI tag. Web browser does not display full hostname when
 loading a web page.

 Crash of the parser for parts of a NDEF record, reboots
 graphical user interface (GUI) of phone.

-----------------------------

Reporter: Collin Mulliner <collin[AT]mulliner.org>

-----------------------------

Affiliation: MUlliNER.ORG / the trifinite group

-----------------------------

Time line:

 Presented at 25C3          : 29. December 2008
 Reported to vendor         : 01. January  2009
 Received ack.              : 05. January  2009
 Published to mailing lists : 18. June     2009

-----------------------------

Brief Technical Details:

 The Nokia 6212 Classic mobile phone is a mobile phone featuring the
 Near Field Communication (NFC) technology (http://www.nfc-forum.org).
 The phone has multiple security vulnerabilities in the code that parses
 and displays the content of a NDEF tags and plain URI tags.

 1) URI Spoofing (using plain URI tags)

  Long URLs are short end by removing the end of the URL replacing it
  with "..." (3 dots). This behavior can be abused for spoofing the
  URL that is displayed to the user. This way an attacker can trick
  a user into loading a malicious website. Also the phone does not
  display the URL of the website (URL can be looked up through a menu
  option).

  Spoofing works using the classic @ method. Certain characters are
  not allowed before the @ such as: /

  Example:
   http://www.example.com...... () mulliner org:6666

   Will be displayed as: http://www.example.com....


 2) NDEF Record Parser Crash

  The NDEF Record parser crashes if the record payload length field
  contains either 0xFFFFFFFF or 0xFFFFFFFE

  The crash will reboot the GUI of the phone. After 4 reboots in a row
  the phone will switch off completely (e.g. user constantly trying to
  read the tag containing this value).

-----------------------------

More Detailed Information:

 More details, slides and tools are available here:
  http://www.mulliner.org/nfc/

 Security Advisories:
  http://mulliner.org/security/advisories/

--- END ADVISORY ---

--
Collin R. Mulliner <collin () betaversion net>
info/pgp: finger collin () betaversion net
I'm a .signature virus. Copy me to help me spread.
Previous By Date Next
Previous By Thread Next

Current thread: