OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Nokia 6131 NFC URI/URL Spoofing and DoS Advisory

From: Collin R. Mulliner (collinbetaversion.net)
Date: Sat Aug 16 2008 - 12:16:14 CDT


Vulnerability Report

--- BEGIN ADVISORY ---

Manufacturer: Nokia (www.nokia.com)
Device: Nokia 6131 NFC
Firmware: V 05.12, 19-09-07, RM-216
Device Type: mobile phone
OS: Symbian Series40

Subsystem: Near Field Communication

-----------------------------

Executive Summary:
 URI/URL Spoofing when displaying the content of a NDEF Smart Poster
 and plain URI tag. Web browser does not display full hostname when
 loading a web page.
  
 Crash of the parser for various parts of NDEF records, reboots
 graphical user interface (GUI) of phone.

-----------------------------

Reporter: Collin Mulliner <collin.mulliner[AT]sit.fraunhofer.de>

-----------------------------

Affiliation: Fraunhofer SIT / MUlliNER.ORG / the trifinite group

-----------------------------

Time line:

 Reported to vendor : 27. March 2008
 Received ack. : 28. March 2008
 Presented at EuSecWest2008 : 21. May 2008
 Received further feedback : 04. July 2008
 Published to mailing lists : 16. August 2008

-----------------------------

Fix:

 The first device without the reported vulnerabilities will be the
 Nokia 6212 Classic NFC mobile phone.

-----------------------------

Brief Technical Details:

 The Nokia 6131 NFC mobile phone is a mobile phone featuring the Near
 Field Communication (NFC) technology (http://www.nfc-forum.org). The
 phone has multiple security vulnerabilities in the code that parses and
 displays the content of a NDEF Smart Poster and a plain URI tag.
 
 1) NDEF Smart Poster URI Spoofing
 
 The NDEF Smart Poster displays a URI together with a descriptive text.
 The URI can be a URL (http,https,ftp,...) or can point to a phone
 number (tel:) or to a short message (sms:).
 
 The vulnerability: the phone concatenates the descriptive text and the
  URI. The URI might not be displayed if the the descriptive text
  already uses the available space to display both information. Further
  the descriptive text can contain text that reassembles a URI.
  Therefore a user can be tricked into opening/activating a different
  URI than he expects. This can lead to monetary damage.
  
  There is no visual indication of which part is text and which part is
  the URI.
 
 1.1.1) URL Spoofing
 
  Descriptive text: Bank online with Happy Bank and Trust
                     https://www.happybankandtrust.com
  
  URI: http://westealallyourmoney.com
  
  User will believe he is accessing https://www.happybankandtrust.com
  but he actually will load http://westealallyourmoney.com.
  
  
 1.1.2) URL Spoofing surviving a quick check
 
  Descriptive text:
   http:\\www.nokia.com\r\r\rAddress:\rhttp:\\www.nokia.com\r\r\r\r\r.
  
  URI: http://www.mulliner.org
  
  The user will be see "http://www.nokia.com" in main screen, if he
  presses "Show" he will see:
  
    Title:
    http://www.nokia.com
  
    Address:
    http://www.nokia.com
  

 1.2) Telephone URI Spoofing
 
  Descriptive text:
   Tourist Information\r080012345678\r\r\r\r\r\r\r\r\r\r.
  
  URI: tel:19006661666
  
  The user will believe this is a free call but will actually call
  1900...
 
  
 1.3) SMS URI Spoofing
  
  Descriptive text: Get todays weather forecast\r08005551234
  
  URI: sms:33333?body=tone1
  
  The user will believe the SMS is for free but he will actually send a
  message to a premium rate number.
  
  
 2) Plain URI Spoofing
 
  Spoofing using the classic method.
  
  URI:
   http://wap.somebank.com\wap\login&where=ccinfo\r\r...\r\rbadguy.net
   
  Notice: some characters are not allowed before the these are:
   / and ? the user will probably not notice.
   

 3) NDEF Record Parser Crash
 
  The NDEF Record parser crashes if the record payload length field
  contains either 0xFFFFFFFF or 0xFFFFFFFE
  
  The crash will reboot the GUI of the phone. After 4 reboots in a row
  the phone will switch off completely (e.g. user constantly trying to
  read the tag containing this value).
  
  
 4) NDEF Tel/SMS Handler Crash
 
  The handler for the sms and tel URI crashes when encountering a
  phone number of exactly 124 characters.
  
  Examples:
   tel:<124 characters> and sms:<124 characters>
   
  Best guess is a off-by-one bug since shorter numbers work and longer
  numbers produce an error message.
  
  The crash will reboot the GUI of the phone. After 4 reboots in a row
  the phone will switch off completely (e.g. user constantly trying to
  read the tag containing this value).
    
-----------------------------

More Detailed Information:

 More details, slides and tools are available here:
  http://www.mulliner.org/nfc/

 
--- END ADVISORY ---

--
Collin R. Mulliner <collinbetaversion.net>
BETAVERSiON Systems [www.betaversion.net]
info/pgp: finger collinbetaversion.net
Don't ask me! I don't use windoze!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/