#2009-014 Android denial-of-service issues Description: Android, an open source mobile phone platform, is affected by two bugs that lead to denial-of-service (DoS) conditions. Two separate DoS issues have been independently reported to oCERT. The most recent report concerns Android handling of SMS messages: a specific malformed SMS message can be crafted to trigger a condition that disconnects the mobile phone from the cellular network. The malformed SMS message consists of a badly formatted WAP Push message which causes an Java ArrayIndexOutOfBoundsException in the phone application (android.com.phone). The phone application silently restarts without user awareness, this leads to a temporary loss of connectivity (as well as dropping of current calls, if any) which can be prolonged in case the phone SIM is protected by PIN, due to required PIN re-entry and the need for user attention. Triggering this bug (repeatedly in case no PIN is present) is considered a remote DoS condition. The second report addresses a number of issues discovered in the Android's Dalvik API, one of them has been classified by the Android team as a DoS vulnerability which leads to restarting the system process. A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition. All the reported issues have been patched. Affected version: Malformed SMS DoS: Android all 1.5 CRBxx versions (where xx are digits) Dalvik API DoS: Android <= 1.5 Fixed version: Malformed SMS DoS: Android 1.5 CBDxx, CRCxx and COCxx (where xx are digits) Dalvik API DoS: Android >= Donut DRC79 Credit: Charlie Miller, Collin Mulliner (malformed SMS DoS). Emmanouel Kellinis, KPMG London (Dalvik API DoS). CVE: CVE-2009-2999 (malformed SMS DoS) Timeline: Malformed SMS DoS: 2009-06-19: reporters send report to Android Security team 2009-07-16: Android Security team releases patch to Android users 2009-07-30: Android Security team publicly release patch to open source Android 2009-08-27: Android Security Team, on behalf of Collin Mulliner, requests assistance from oCERT 2009-08-27: assigned CVE 2009-10-05: advisory release Dalvik API DoS: 2009-04-24: vulnerability report received 2009-04-24: contacted Android Security team 2009-05-05: Android Security team indicates that most of the bugs are not considered security issues but rather stability ones 2009-05-19: reporter provides two additional bugs 2009-05-27: reporter and oCERT provide attack vectors and comments 2009-06-03: Android Security team agrees that one issue has a security impact, does not oppose to advisory release 2009-06-11: Android Security team indicates that all issues will be fixed in Donut release 2009-07-21: patch commited to open source Android repository 2009-10-01: Donut released to users 2009-10-05: advisory release References: Malformed SMS DoS: http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=46e23fe762d2143d60589ab6d39c4b47c2c754d1 Dalvik API DoS: http://android.git.kernel.org/?p=platform/frameworks/base.git;a=commit;h=cf4550c3198d6b3d92cdc52707fe70d7cc0caa9f Permalink: http://www.ocert.org/advisories/ocert-2009-014.html -- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"