exploit the possibilities

Kies Air Denial Of Service / Authorization Bypass

Kies Air Denial Of Service / Authorization Bypass
Posted Nov 16, 2012
Authored by Claudio J. Lacayo

Kies Air suffers from authorization bypass and denial of service vulnerabilities. Android version 4.0.4 build number IMM76D.I747UCALH9 is affected.

tags | exploit, denial of service, vulnerability, bypass
advisories | CVE-2012-5858, CVE-2012-5859
MD5 | ca2c894d35d1c3d90e64a5b2734daf70

Kies Air Denial Of Service / Authorization Bypass

Change Mirror Download
Name: [CVE-2012-5858] [CVE-2012-5859] DoS/Authorization Bypass - Kies Air
Package: com.samsung.swift.app.kiesair
Affected versions: 2.1.207051, 2.1.210161
Testing Device: Samsung S3 (AT&T) - SAMSUNG-SGH-I747
Android Version: 4.0.4/ Build Number: IMM76D.I747UCALH9
Vendor homepage: http://www.samsung.com/us/kiesair
Researcher: Claudio J. Lacayo


APPLICATION OVERVIEW
======================
Kies Air is a application that enables you to easily manage contents saved on your device via PC internet or mobile browser using Wi-Fi technology. Without having to connect any cables, within a browser you can use diverse function such as multimedia transfer, music listening, PIMS management, text message, file search, and so on.

VULNERABILITY SUMMARY
=======================
The default application behaviour of the Kies Air application was analyzed uncovering a local authorization bypass attack that allows a malicious attacker to obtain the full contents of the phone. Kies Air uses IP based authorization to allow access to the owners device via a web browser. The application has support for HTTPS but does not use it. Once a request is granted to an IP, an attacker can spoof the IP, de-authenticate the authorized client and assume the IP to retrieve content without alarming the user. It was also found that a specially crafted request can cause the application to crash at will. This DoS attack only requires the application to be running.

DETAILS
=======
Authorization Bypass:
A series of HTTP requests are made when the client connects to the Kies Air web server. The server responds with two 301 responses. The first 301 Moved Permanently response points to http://{TARGET_IP}:8080/www/index.html followed by another 301 pointing to a new URI location at: http://{TARGET_IP}:8080/www/index.gz.html - if the user is allowed access, the server responds with 200 OK otherwise a 401 Unauthorized response is returned.
Once the Kies Air web server is identified a de-authentication request can be sent to remove the authorized user on the network and obtain the authorized IP. Requesting access to Kies Air does not require the client to re-authenticate nor alert the mobile user that another connection attempt is being made.

Denial of Service:
Send GET request http://{TARGET_IP}:8080/www/apps/KiesAir/jws/ssd.php?E&

ADVISORY TIMELINE
=================
10/16/2012 - Authorization bypass found and confirmed
10/20/2012 - DoS found and confirmed
11/5/2012 - Vendor notified via email to Kies Air Support team.
11/6/2012 - Kies Air support team responds, requests vulnerability details to forward to Kies Air Development team. Whitepaper and code provided
11/10/2012 - Member from Mobile Security Team requests vulnerability disclosure extension. Due to severity and attack scope request denied and issue details published.
11/11/2012 - Advisory released.

CVSS 2.0 Base Metrics
==================
Reference Base Vector Base Score
CVSS Base Score
6.1
Impact Subscore
8.5
Exploitability Subscore
3.9
CVSS Temporal Score
5.3
CVSS Environmental Score
4.2
Modified Impact Subscore
6.7
Overall CVSS Score
4.2

RESOLUTION
===========
Upgrade the latest version of Kies Air to 2.2.211081 released November 8th, 2012.

REFERENCES
============
Whitepaper: http://dl.dropbox.com/u/7779799/SamsungKiesAirAuthorizationBypassandDoS.pdf
PoC: https://github.com/cjlacayo/bash/blob/master/KiesAir/kiesauth.sh

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close