Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,743,150 Members 44,363 Now Online
XDA Developers Android and Mobile Development Forum

[VULNERABILITY?] Remote wipe via iframe USSD trigger

Tip us?
 
killsforpie
Old
(Last edited by killsforpie; 25th September 2012 at 07:54 PM.)
#1  
Member - OP
Thanks Meter 3
Posts: 68
Join Date: Oct 2010
Default [VULNERABILITY?] Remote wipe via iframe USSD trigger

I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/show....php?t=1904629).

I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.

Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?

Edit: I was able to launch the HTC Function Test ( *#*#3424#*#* ) using this method. If there is a reset code I would bet it is exploitable.

Edit 2: I found a list of codes here: http://forum.xda-developers.com/show....php?t=1683634 which could also be tested.
Also sample HTML for you to test (will bring up the HTC Functions Test as if *#*#3424#*#* were entered in the dialer):
HTML Code:
<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>
Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.

If somebody with the official VZW rom is brave enough to test out the factory reset codes we can narrow the scope of this down.
 
synisterwolf
Old
#2  
synisterwolf's Avatar
Recognized Contributor
Thanks Meter 2125
Posts: 6,294
Join Date: Sep 2010
Quote:
Originally Posted by killsforpie View Post
I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/show....php?t=1904629).

I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.

Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?
this bug is being reports for Samsung TouchWiz devices only. we are safe.
Quote:
Originally Posted by The Internet
You learn something new everyday. Unless you have a brain injury, then it's all pretty much yelling and coloring.
 
Lennyuk
Old
#3  
Lennyuk's Avatar
Recognized Developer
Thanks Meter 1383
Posts: 5,660
Join Date: Jan 2010
Location: Essex, England

 
DONATE TO ME
Sorry, but you are very very ill-informed.

This bug affects all android devices. We have two problems here, 2 leads on from 1.

1) Does the device launch USSD (or other similar codes) from the browser automatically (Most stock diallers will do this, certainly both Samsung and HTC DO!)

2) Does the device has a USSD (or similar code) that allows for the device to be wiped without confirmation (most samsung and htc devices do! although the code to trigger it can vary from device to device)

Samsung and Stock Google have patched this in recent builds, so if your up-to-date you should be safe, however no evidence has been obtained to show that HTC is safe (or even knows of the problem).

In short, if there is a code to wipe your device then you most likely vulnerable
I am some sort of dev and a writer for LandofDroid. I am also a member of HTC Elevate. Was a member of the now defunct "Team Villain" aka VillainRom.

Guide to Unroot LG G3 for OTA
Chromecast System UI Crash Fix

http://forum.xda-developers.com/signaturepics/sigpic2315688_1.gif

Device info:
 
Current: LG G3, Google LG Nexus 5, Chromecast, Acer C720 Chromebook
Retired: HTC One, Google LG Nexus 4, Google Asus Nexus 7 Samsung Galaxy Note II Samsung Galaxy S III, Advent Vega (Tablet), Samsung Galaxy S II, Samsung Galaxy S, HTC Desire Z, HTC Desire HD, HTC Desire, HTC Hero

www.lennyuk.co.uk
Twitter | Google+
Like what I do? help me have a coffee<----- This is a link
 
mkdotam
Old
#4  
Junior Member
Thanks Meter 0
Posts: 1
Join Date: Sep 2010
*#06# shows imei on HTC, an here is page where you can make sure HTC is vulnerable too: mk.am/m/ussd.html

The only thing is I'm not quite sure that HTC has USSD for factory reset or wipe.
 
Lennyuk
Old
(Last edited by Lennyuk; 25th September 2012 at 05:25 PM.)
#5  
Lennyuk's Avatar
Recognized Developer
Thanks Meter 1383
Posts: 5,660
Join Date: Jan 2010
Location: Essex, England

 
DONATE TO ME
These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!
I am some sort of dev and a writer for LandofDroid. I am also a member of HTC Elevate. Was a member of the now defunct "Team Villain" aka VillainRom.

Guide to Unroot LG G3 for OTA
Chromecast System UI Crash Fix

http://forum.xda-developers.com/signaturepics/sigpic2315688_1.gif

Device info:
 
Current: LG G3, Google LG Nexus 5, Chromecast, Acer C720 Chromebook
Retired: HTC One, Google LG Nexus 4, Google Asus Nexus 7 Samsung Galaxy Note II Samsung Galaxy S III, Advent Vega (Tablet), Samsung Galaxy S II, Samsung Galaxy S, HTC Desire Z, HTC Desire HD, HTC Desire, HTC Hero

www.lennyuk.co.uk
Twitter | Google+
Like what I do? help me have a coffee<----- This is a link
 
killsforpie
Old
#6  
Member - OP
Thanks Meter 3
Posts: 68
Join Date: Oct 2010
Quote:
Originally Posted by synisterwolf View Post
this bug is being reports for Samsung TouchWiz devices only. we are safe.
Does HTC have such a reset code? I've seen various posts say that HTC does have a reset code.

I was able to get to the HTC Function Test with this method (3424) on stock browser, FF and Chrome. If there is a similar hard reset I think this would work for that too.
 
killsforpie
Old
#7  
Member - OP
Thanks Meter 3
Posts: 68
Join Date: Oct 2010
Quote:
Originally Posted by Lennyuk View Post
These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!
Any souls out there braver (or perhaps in a better position) than I to try these out?
 
synisterwolf
Old
(Last edited by synisterwolf; 25th September 2012 at 09:55 PM.)
#8  
synisterwolf's Avatar
Recognized Contributor
Thanks Meter 2125
Posts: 6,294
Join Date: Sep 2010
Quote:
Originally Posted by Lennyuk View Post
These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!
tried all 4 codes on my htc rezound. nothing happened.

so im sorry but it looks like you are miss informed.


The Factory Reset. One of those last ditch efforts that many of us have a fair bit of experience with. However, a malicious embed code could potentially do the exact same thing to your Galaxy S III. The Unstructured Supplementary Service Data (USSD) code (which we won't reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). This means the Galaxy Nexus is unaffected, but it can work the same dark magic on the likes of the Galaxy S II.

We've been trying to murder a (UK-based) GS III here at Engadget, but with no luck as yet -- we can cause the malicious digits to appear in the dialer, but we can't force the stock browser to visit them as a URL, even when trying a bit of URL forwarding and QR code trickery. However, this particular GS III has been rooted in the past, even though it's now running an official TouchWiz ROM, and that may be interfering with the process.

Aside from our own experiences, the evidence for the vulnerability is certainly strong. It was demonstrated at the Ekoparty security conference last weekend, during which time presenter Ravi Borgaonkar also showed how a different code could even wipe your SIM card. See the video after the break for the evidence.

Update: Tweakers.net has been able to replicate the security hole on a Galaxy S Advance, while The Verge has confirmed that it works on both the Galaxy S II and the AT&T Galaxy S III. Samsung has told us it's looking into the issue.


source



There's a lot of confusion as to exactly which Samsung phones are vulnerable to today's big scary USSD vulnerability, which could cause some phones to factory reset themselves upon visiting a malicious web page. Some Galaxy S2 and S3-class phones are susceptible, others less so. In some cases it depends if you're running the latest firmware or not. In others, there's no patched firmware available yet.

Samsung will surely be hard at work rolling out fixes for devices that remain susceptible, but in the meantime we've got a quick, easy to tell if your phone is at risk, without taking the plunge and running the malicious code itself. Find out more after the break.

First off, note that today's glitch only affects Samsung phones. Our testing method may produce different results on other manufacturers' devices, but it's important to remember that it's impossible to use this exploit on a phone that's not running Samsung's TouchWiz software. Also, note that we don't see any secret information from your phone during this test. If in doubt, right-click and check the source code to see exactly what we're doing. It's a pretty simple test.

With that in mind, head to this page on your Samsung phone's stock browser. You'll find it at androidcentral.com/ussd-test

With this page loaded on your phone, simply click the button in the embedded area below to see if your Samsung phone is at risk. The test works by trying to direct you to a benign USSD code, specifically, the one that displays your IMEI on your screen (nothing malicious). If you're using a Samsung phone and a window pops up showing your IMEI number, you're likely vulnerable. If your dialer just loads up showing either nothing, or *#06# in the number read-out, you should be safe.

Let us know how you get on down in the comments. Safe browsing, everyone!

Source
Quote:
Originally Posted by The Internet
You learn something new everyday. Unless you have a brain injury, then it's all pretty much yelling and coloring.
The Following User Says Thank You to synisterwolf For This Useful Post: [ Click to Expand ]
 
killsforpie
Old
#9  
Member - OP
Thanks Meter 3
Posts: 68
Join Date: Oct 2010
Quote:
Originally Posted by synisterwolf View Post
tried all 4 codes on my htc rezound. nothing happened.

so im sorry but it looks like you are miss informed.
That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:

HTML Code:
<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>
(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)

This uses 3424 which opens up the HTC Function Test.

Just because those codes don't work doesn't mean there isn't one available if the vector is open.
 
synisterwolf
Old
#10  
synisterwolf's Avatar
Recognized Contributor
Thanks Meter 2125
Posts: 6,294
Join Date: Sep 2010
Quote:
Originally Posted by killsforpie View Post
That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:

HTML Code:
<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>
(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)

This uses 3424 which opens up the HTC Function Test.

Just because those codes don't work doesn't mean there isn't one available if the vector is open.
ran this in chrome and still no go.
Quote:
Originally Posted by The Internet
You learn something new everyday. Unless you have a brain injury, then it's all pretty much yelling and coloring.

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Count Cells Like a Pro with White Coat Buddy

There are times when we need to use our devices for things other than playing games, checking … more

Slide Dial Replacement Dialer Lets You Make Calls from Anywhere

If you frequently make phone calls, your dialer (aka phone app)is one of the … more

Navigate with Your Samsung Gear 2 Using DMA Navi Watch

Whether you’re travelling to a new destination or exploring some previously … more