Browser and Smartphone Exploits Fly at Pwn2Own [Recap]
With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.
For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.
In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details! Read more
Single Packet Authorization on Android with fwknop
Users of Single Packet Authorization and fwknop can now do so on their Android phones, thanks to an app by Max Kastansas. This was achieved using the libfko library provided by fwknop.
The open source Android client can be used to send authorization packets to a server running fwknop, thus opening ports based on a predefined ruleset. The application also has the ability to launch ‘Connectbot’ and connect to SSH, if this is the port being opened. Note that at the moment the Android client only provides only the most basic options of fwknop, and lacks GPG functionality, but hopefully we can look forward to these being added in the future.
Using a phone-based client to send an authorization packet on behalf of another computer can actually improve the security somewhat, as you’re sending that packet out-of-band (OOB), making it less susceptible to interception if the computer’s network traffic is being monitored.
Now we just need an iPhone/iOS app! Come on developers.
Related: Cipherdyne (source code)
Making Calls Using Keylock Bypass Bug on iOS 4.1
A keylock bypass bug has been found in iOS 4.1 which allows unauthorised users circumvent the passcode screen to make calls. It’s a pretty simply trick which involves entering a number (eg. 1) on the ‘Emergency Call’ screen, pressing Call and then immediately pressing the lock button. This brings up the Phone app where the user can pick a name from the contact list, or enter a phone number of their choice. To return the phone to normal (without rebooting it), just hold down the Home button until the Voice screen comes up, press Cancel, and then the lock button.
You are able to add/delete contacts, and open the Mail app by sharing a contact where you can then create and send emails.
Here’s a demo:
I’m running 3.1.3 on an iPhone 2G, and for some reason I can make arbitrary calls directly from the Emergency Call screen without any fancy tricks. Go figure.
These kinds of vulnerabilities are not unique to iPhones however, with similar bypass bugs being found in some Android-based phones.
[Update] Thanks Andy for clarifying what an attacker can do using this technique.
[Update 2] This bug has been fixed in the iOS 4.2 update.
Loading ...
