FORUMS
Remove All Ads from XDA

[Security Fix - Update] USSD Codes can remotly wipe your data

n/a posts
Thanks Meter: 0
 
By j4n87, Guest on 27th September 2012, 07:43 AM
Post Reply Email Thread
In the www the info is spread that its possible to remote whipe devices with USSD codes. More info here:

Remote wipe attack not limited to Samsung phones, Android dialer may be to blame

and here:

http://dylanreeve.posterous.com/remote-ussd-attack

I immediatly took a look at our sense code on smali level and "fixed" that issue. I put that fixed into quotes because of follwing things:

Just because your Imei shows when executing this "security test" doesnt automatically mean your phone is vulnarable:


Code:
.method static handleChars(Landroid/content/Context;Ljava/lang/String;ZLandroid/widget/EditText;Landroid/content/res/Resources;)Z
    .locals 2

    invoke-static {p1}, Landroid/telephony/PhoneNumberUtils;->stripSeparators(Ljava/lang/String;)Ljava/lang/String;
    move-result-object v0

    invoke-static {p0, v0, p2, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleIMEIDisplay(Landroid/content/Context;Ljava/lang/String;ZLandroid/content/res/Resources;)Z
    move-result v1
    if-nez v1, :cond_0

    invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handlePinEntry(Landroid/content/Context;Ljava/lang/String;)Z
    move-result v1

    if-nez v1, :cond_0
    invoke-static {p0, v0, p3, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleAdnEntry(Landroid/content/Context;Ljava/lang/String;Landroid/widget/EditText;Landroid/content/res/Resources;)Z
    move-result v1

    if-nez v1, :cond_0
    invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleSecretCode(Landroid/content/Context;Ljava/lang/String;)Z
    move-result v1

    if-eqz v1, :cond_1

    :cond_0
    const/4 v1, 0x1

    :goto_0
    return v1

    :cond_1
    const/4 v1, 0x0

    goto :goto_0
.end method
The handlechars method is called when text/numbers are entered via the dialpad. In this method you can see four submethods:

handleIMEIDisplay
handlePinEntry
handleAdnEntry
handleSecretCode


Means that the display of imei and executing the USSD Codes
(handleSecretCode method) is handled in different methods.

In the handleSecretCode there are a few hadcoded commands that are executed, like:

com.android.phone.NetworkModeSelectionActivity
or com.android.phone.CallFeaturesSetting

which arent dangerous, there are two sendBroadcasts commands though
which are sending the command with a android.provider.Telephony.SECRET_CODE intent

One of those is limted to commands that are starting with
Quote:

*#*#

or ending with
Quote:

*#*#

. So if USSD commands are always starting with
Quote:

*

, which is also said in the article, that one isnt dangerous.

Please read the update at the bottom.

The other one is just executed when the phonetype is 2:

Code:
const/4 v10, 0x2

    const/4 v5, 0x1

	.....

    invoke-virtual {v3}, Landroid/telephony/TelephonyManager;->getPhoneType()I

    move-result v7
The phonetype 2 is:

Phonetype 2

and the broadcast is also sent with the beggining string:

Quote:

android_secret_code://cdma

....so this broadcast shouldnt affect us and isnt dangerous as well.


No guaranties that im right with my guess. But for those that are still frightend, do the follwing:


Code:
.method static handleChars(Landroid/content/Context;Ljava/lang/String;ZLandroid/widget/EditText;Landroid/content/res/Resources;)Z
    .locals 2

    invoke-static {p1}, Landroid/telephony/PhoneNumberUtils;->stripSeparators(Ljava/lang/String;)Ljava/lang/String;
    move-result-object v0

    invoke-static {p0, v0, p2, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleIMEIDisplay(Landroid/content/Context;Ljava/lang/String;ZLandroid/content/res/Resources;)Z
    move-result v1
    if-nez v1, :cond_0

    invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handlePinEntry(Landroid/content/Context;Ljava/lang/String;)Z
    move-result v1

    if-nez v1, :cond_0
    invoke-static {p0, v0, p3, p4}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleAdnEntry(Landroid/content/Context;Ljava/lang/String;Landroid/widget/EditText;Landroid/content/res/Resources;)Z
    #move-result v1

    #if-nez v1, :cond_0
    #invoke-static {p0, v0}, Lcom/android/htcdialer/widget/SpecialCharSequenceMgr;->handleSecretCode(Landroid/content/Context;Ljava/lang/String;)Z
    #move-result v1

    if-eqz v1, :cond_1

    :cond_0
    const/4 v1, 0x1

    :goto_0
    return v1

    :cond_1
    const/4 v1, 0x0

    goto :goto_0
.end method

its in the HtcDialier.apk,

android/htcdialer/widget/SpecialCharSequenceMgr.smali

this will deactivate the call for the handleSecretCode method where the possible dangerous commands could be executed.
This should work, from my interpretation of the code..I'm not responsible if it doesnt work and your phone data is still vulnarable.

If you comment out the call for the Imei window and start the security test again you will notice though that you imei shouldnt show anymore liek before.


I will attach my already modified version, should work on all 2.17 based roms...and also earlier.

Cheers, Jan



Update:

[LIST] HTC secret codes for HTC One X

Quote:

*#*#7780#*#* = factory reset !! BE CAREFUL!
##4772579# = reset GPS - working?
*2767*3855# = factory format !! BE CAREFUL!
*#*#197328640#*#* = service mode? - after two tests seems to be NOT WORKING


...would mean that if *#*#7780#*#* will work, theres a risk that this command is sent via the 1st broadcast I explained, means that there could be a danger.

But if you test it you will see that none of those codes affect us in any way.


Attached Files
File Type: zip SecurityFix_USSD_Codes.zip - [Click for QR Code] (1.32 MB, 962 views)
The Following 59 Users Say Thank You to j4n87 For This Useful Post: [ View ] Gift j4n87 Ad-Free
 
 
Slaytanic
27th September 2012, 07:53 AM |#2  
Guest
Thanks Meter: 0
 
More
Thumbs up
Great job, you're really fast!

EDIT: installation fails on my HOX.. it asks me if I want to replace this system app and when I say OK it fails installation.
j4n87
27th September 2012, 08:00 AM |#3  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by Slaytanic

Great job, you're really fast!

EDIT: installation fails on my HOX.. it asks me if I want to replace this system app and when I say OK it fails installation.

you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...


EDIT: flashabel zip attached.
The Following 5 Users Say Thank You to For This Useful Post: [ View ] Gift Ad-Free
27th September 2012, 08:07 AM |#4  
samarain's Avatar
Senior Member
Flag BAT Cave
Thanks Meter: 140
 
Donate to Me
More
When try to install this apk he decline, shoul substitute in the system directly?

---------- Post added at 08:07 AM ---------- Previous post was at 08:05 AM ----------

Quote:
Originally Posted by j4n87

you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...


EDIT: flashabel zip attached.

Already answer
Slaytanic
27th September 2012, 09:13 AM |#5  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by j4n87

you need to push it to system/app with adb. You cant install it.
I will create a flashable zip in a few...


EDIT: flashabel zip attached.

You're too fast Thanks! I'll donate for your marriage
The Following User Says Thank You to For This Useful Post: [ View ] Gift Ad-Free
27th September 2012, 11:13 AM |#6  
Senior Member
Thanks Meter: 360
 
More
Great, I done testing by myself yesterday..
My HOX prompt out my IMEI, OMG..

Thanks for the FIX..
You're even faster than Samsumg..
HTC should voices out and fix it ASAP too..
27th September 2012, 11:14 AM |#7  
twics's Avatar
Senior Member
Flag london
Thanks Meter: 145
 
More
Smile Thanks
This is a little over my head but did the test and my IMEI showed up so I guess im vulnerable, thanks for the fix.
27th September 2012, 11:43 AM |#8  
TAGTRAUM's Avatar
Senior Member
Flag Stuttgart
Thanks Meter: 105
 
More
I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera
27th September 2012, 11:46 AM |#9  
robocik's Avatar
Inactive Recognized Developer
Flag Malmö
Thanks Meter: 4,188
 
Donate to Me
More
Quote:
Originally Posted by TAGTRAUM

I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera

read somewhere that only stock browsers are vulnerable. Opera, Chrome, Firefox etc. should be fine...
j4n87
27th September 2012, 11:48 AM |#10  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by TAGTRAUM

I did the test...Nothing happened, no dialer run, no showing #06, no IMEI appeared, loaded like plain link....Do i need install this fix??
ROM - ViperX 2.7.1, Browser - Opera

All HTC Sense devices are affected...this browser thing seems to work just on stock browser though. But keep in mind that those codes ca be sent via sms as well.
Please read my article carefully again, then you can decide on your own if you want to flash this patch or not.
j4n87
27th September 2012, 11:51 AM |#11  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by robocik

read somewhere that only stock browsers are vulnerable. Opera, Chrome, Firefox etc. should be fine...

correct, but as mentioned above those codes could be sent via sms as well.
btw...you are alive! =P

Imo theres really no danger concerning this codes.

Quote:

the USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src="tel:*2767*3855%23" />


I didnt tested it myself, but through my code analysis this code should never execute on our sense One X devices.


Please check the updated OP at the bottom.
The Following 3 Users Say Thank You to For This Useful Post: [ View ] Gift Ad-Free
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes