[VULNERABILITY?] Remote wipe via iframe USSD trigger

---

I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/show....php?t=1904629).

I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.

Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?

Edit: I was able to launch the HTC Function Test ( *#*#3424#*#* ) using this method. If there is a reset code I would bet it is exploitable.

Edit 2: I found a list of codes here: http://forum.xda-developers.com/show....php?t=1683634 which could also be tested.
Also sample HTML for you to test (will bring up the HTC Functions Test as if *#*#3424#*#* were entered in the dialer):

HTML Code:

<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>

Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.

If somebody with the official VZW rom is brave enough to test out the factory reset codes we can narrow the scope of this down.

Quote:

Originally Posted by killsforpie

I wanted to add a post here due to the severity of the bug. (Original post here: http://forum.xda-developers.com/show....php?t=1904629).

I've tested with *#*#4636*#* and nothing is displayed on my dialer, as it does when you type the code in now (4.0.3 latest release from Verizon). Trying with other numbers leave the numbers in the dialer. Tested with FF and Chrome. Stock dialer.

Does anybody know any safe codes we can try to confirm or deny that this vulnerability could also affect HTC phones?

this bug is being reports for Samsung TouchWiz devices only. we are safe.

Sorry, but you are very very ill-informed.

This bug affects all android devices. We have two problems here, 2 leads on from 1.

1) Does the device launch USSD (or other similar codes) from the browser automatically (Most stock diallers will do this, certainly both Samsung and HTC DO!)

2) Does the device has a USSD (or similar code) that allows for the device to be wiped without confirmation (most samsung and htc devices do! although the code to trigger it can vary from device to device)

Samsung and Stock Google have patched this in recent builds, so if your up-to-date you should be safe, however no evidence has been obtained to show that HTC is safe (or even knows of the problem).

In short, if there is a code to wipe your device then you most likely vulnerable

*#06# shows imei on HTC, an here is page where you can make sure HTC is vulnerable too: mk.am/m/ussd.html

The only thing is I'm not quite sure that HTC has USSD for factory reset or wipe.

These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!

Quote:

Originally Posted by synisterwolf

this bug is being reports for Samsung TouchWiz devices only. we are safe.

Does HTC have such a reset code? I've seen various posts say that HTC does have a reset code.

I was able to get to the HTC Function Test with this method (3424) on stock browser, FF and Chrome. If there is a similar hard reset I think this would work for that too.

Quote:

Originally Posted by Lennyuk

These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!

Any souls out there braver (or perhaps in a better position) than I to try these out?

Quote:

Originally Posted by Lennyuk

These work on some htc phones:

##72786#
*#*#7780#*#*
*#7780#

*#767*3855# - this one, if it works will format your partitions, recovery will not be a simple task BE WARNED!

tried all 4 codes on my htc rezound. nothing happened.

so im sorry but it looks like you are miss informed.


The Factory Reset. One of those last ditch efforts that many of us have a fair bit of experience with. However, a malicious embed code could potentially do the exact same thing to your Galaxy S III. The Unstructured Supplementary Service Data (USSD) code (which we won't reproduce here) apparently only works on Samsung phones running Touchwiz, and only if you are directed to the dodgy destination while inside the stock browser (rather than Chrome, for example). This means the Galaxy Nexus is unaffected, but it can work the same dark magic on the likes of the Galaxy S II.

We've been trying to murder a (UK-based) GS III here at Engadget, but with no luck as yet -- we can cause the malicious digits to appear in the dialer, but we can't force the stock browser to visit them as a URL, even when trying a bit of URL forwarding and QR code trickery. However, this particular GS III has been rooted in the past, even though it's now running an official TouchWiz ROM, and that may be interfering with the process.

Aside from our own experiences, the evidence for the vulnerability is certainly strong. It was demonstrated at the Ekoparty security conference last weekend, during which time presenter Ravi Borgaonkar also showed how a different code could even wipe your SIM card. See the video after the break for the evidence.

Update: Tweakers.net has been able to replicate the security hole on a Galaxy S Advance, while The Verge has confirmed that it works on both the Galaxy S II and the AT&T Galaxy S III. Samsung has told us it's looking into the issue.


source



There's a lot of confusion as to exactly which Samsung phones are vulnerable to today's big scary USSD vulnerability, which could cause some phones to factory reset themselves upon visiting a malicious web page. Some Galaxy S2 and S3-class phones are susceptible, others less so. In some cases it depends if you're running the latest firmware or not. In others, there's no patched firmware available yet.

Samsung will surely be hard at work rolling out fixes for devices that remain susceptible, but in the meantime we've got a quick, easy to tell if your phone is at risk, without taking the plunge and running the malicious code itself. Find out more after the break.

First off, note that today's glitch only affects Samsung phones. Our testing method may produce different results on other manufacturers' devices, but it's important to remember that it's impossible to use this exploit on a phone that's not running Samsung's TouchWiz software. Also, note that we don't see any secret information from your phone during this test. If in doubt, right-click and check the source code to see exactly what we're doing. It's a pretty simple test.

With that in mind, head to this page on your Samsung phone's stock browser. You'll find it at androidcentral.com/ussd-test

With this page loaded on your phone, simply click the button in the embedded area below to see if your Samsung phone is at risk. The test works by trying to direct you to a benign USSD code, specifically, the one that displays your IMEI on your screen (nothing malicious). If you're using a Samsung phone and a window pops up showing your IMEI number, you're likely vulnerable. If your dialer just loads up showing either nothing, or *#06# in the number read-out, you should be safe.

Let us know how you get on down in the comments. Safe browsing, everyone!

Source

Quote:

Originally Posted by synisterwolf

tried all 4 codes on my htc rezound. nothing happened.

so im sorry but it looks like you are miss informed.

That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:

HTML Code:

<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>

(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)

This uses 3424 which opens up the HTC Function Test.

Just because those codes don't work doesn't mean there isn't one available if the vector is open.

Quote:

Originally Posted by killsforpie

That is good news, but this is still too early to call this one I think. This vector is open (at least on my phone) as demonstrated by the code:

HTML Code:

<frameset>
	<frame src="tel:*%23*%233424%23*%23*">
</frameset>

(Place in an HTML file, host it somewhere. I wouldn't trust ANYONE's links unless you are prepared for the worst.)

This uses 3424 which opens up the HTC Function Test.

Just because those codes don't work doesn't mean there isn't one available if the vector is open.

ran this in chrome and still no go.