On Sat, Apr 21, 2012 at 09:27:59PM -0400, Jeffrey Walton wrote: > Gotta love it - defective spyware running as a driver or privileged > component. It reminds me of that DRM junk Adobe used to distribute > (Macrovision). It was a defective Windows driver that exposed users to > risk (http://technet.microsoft.com/en-us/security/bulletin/ms07-067). > > Where are software liability laws when you need them.... (And not the > "bride a Congressman so there's no teeth" variety).
Someone getting married! ;-) > > On Sat, Apr 21, 2012 at 9:16 PM, VSR Advisories > <[email protected]> wrote: > > VSR Security Advisory > > http://www.vsecurity.com/ > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > Advisory Name: HTC IQRD Android Permission Leakage > > Release Date: 2012-04-20 > > Application: IQRD on HTC Android Phones > > Author: Dan Rosenberg <drosenberg (at) vsecurity.com> > > Vendor Status: Patch Released > > CVE Candidate: CVE-2012-2217 > > Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > > > Product Description > > ------------------- > > The IQRD service is HTC's implementation of a Carrier IQ porting layer on > > several HTC Android phones. Carrier IQ is a data collection framework that > > may > > be deeply integrated into the Android application stack in order to provide > > cell carriers with detailed metrics data on device and network activity [1]. > > To complete the integration of Carrier IQ on a specific device, phone > > manufacturers provide a "porting layer" that allows the Carrier IQ service > > to > > perform specific actions that may vary by device. > > > > > > Vulnerability Details > > --------------------- > > On December 22th, VSR identified a vulnerability in IQRD. The IQRD service > > listens locally on a TCP socket bound to port 2479. This socket is > > intended to > > allow the Carrier IQ service to request device-specific functionality from > > IQRD. Unfortunately, there is no restriction or validation on which > > applications may request services using this socket. As a result, any > > application with the android.permission.INTERNET permission may connect to > > this > > socket and send specially crafted messages in order to perform potentially > > malicious actions. > > > > In particular, it is possible for malicious applications to: > > > > 1. Trigger UI popup messages > > > > 2. Generate tones > > > > 3. Send arbitrary outbound SMS messages that do not appear in a user's > > outbox, facilitating toll fraud > > > > 4. Retrieve a user's Network Access Identifier (NAI) and corresponding > > password, potentially allowing rogue devices to impersonate the user > > on a CDMA network > > > > > > Versions Affected > > ----------------- > > The issue is confirmed to affect the HTC EVO 4G, HTC EVO Design 4G, EVO > > Shift > > 4G, HTC EVO 3D, HTC EVO View 4G, and HTC Hero on Sprint; and the HTC Vivid > > on > > AT&T. > > > > > > Vendor Response > > --------------- > > The following timeline details HTC's response to the reported issue: > > > > 2011-12-22 Vulnerability reported to HTC > > 2011-12-28 HTC confirms receipt, replies that fix is planned for early > > 2012 > > 2012-03-10 VSR requests status update > > 2012-03-16 HTC confirms fix has been published > > 2012-03-26 HTC requests clarification on finding > > 2012-03-26 VSR provides clarification on finding, requests confirmation > > on > > status of fix > > 2012-04-02 HTC provides confirmation of fix, requests further > > clarification > > 2012-04-02 VSR provides clarification on finding > > 2012-04-12 VSR provides draft advisory to HTC > > 2012-04-13 HTC provides corrections to advisory, requests disclosure date > > 2012-04-20 Coordinated disclosure > > > > > > Recommendation > > -------------- > > > > HTC has issued a fix that will typically be provided as an OTA update by > > affected cell carriers. If the update has not automatically been > > installed, it > > is possible to retrieve the update manually by navigating to Menu -> > > Settings > > -> System Updates -> HTC Software Update -> Check Now. > > > > The following software versions on Sprint are confirmed to resolve this > > issue: > > > > HTC EVO 4G: 4.67.651.3 > > HTC EVO Design 4G: 2.12.651.5 > > HTC EVO Shift 4G: 2.77.651.3 > > HTC EVO 3D: 2.17.651.5 > > HTC EVO View 4G: 2.23.651.1 > > > > The following software versions on AT&T are confirmed to resolve this issue: > > > > HTC Vivid: 3.26.502.56 > > > > > > All affected devices except the HTC Hero have received an over-the-air > > update. > > HTC and Sprint have declined to update the HTC Hero, citing its 2009 > > release, > > minimal current usage, and lack of malicious applications in the Android > > Marketplace exploiting this vulnerability. > > > > Users should be aware that devices that no longer receive updates due to > > switching carriers may remain vulnerable. > > > > > > Common Vulnerabilities and Exposures (CVE) Information > > ------------------------------------------------------ > > The Common Vulnerabilities and Exposures (CVE) project has assigned the > > number > > CVE-2012-2217 to this issue. This is a candidate for inclusion in the CVE > > list > > (http://cve.mitre.org), which standardizes names for security problems. > > > > > > Acknowledgements > > ---------------- > > Thanks to HTC for their response and fix. > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > References: > > > > 1. Carrier IQ > > http://www.carrieriq.com > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > This advisory is distributed for educational purposes only with the sincere > > hope that it will help promote public safety. This advisory comes with > > absolutely NO WARRANTY; not even the implied warranty of merchantability or > > fitness for a particular purpose. Neither Virtual Security Research, LLC > > nor > > the author accepts any liability for any direct, indirect, or consequential > > loss or damage arising from use of, or reliance on, this information. > > > > See the VSR disclosure policy for more information on our responsible > > disclosure > > practices: > > http://www.vsecurity.com/company/disclosure > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Copyright 2012 Virtual Security Research, LLC. All rights reserved. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- - (2^(N-1)) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
