Jump to content

G300 ICS USSD Vulnerability

Guest dem0nx

By Guest dem0nx
in Huawei Ascend G300 - G300.MoDaCo.com

 Share

Recommended Posts

  • Replies 54
  • Created
  • Last Reply

Popular Days

Popular Days

Popular Posts

Guest dem0nx
Guest dem0nx

I have no idea if there is a factory reset USSD for this however I can confirm that the USSD thing works on G300 phones (and most likely others) I am using a slightly different method of doing this in

Guest Hogweed
Guest Hogweed

I see... http://securitywatch...ours-vulnerable Ooops. I can confirm vulnerability on Gingerbread as well - tested with Gr2 but that's the stock dialler so likely a problem in all GB ROMs. W

Guest Cyda
Guest Cyda

A nice android dev has created an app to help protect against this vulnerability. https://play.google.com/store/apps/details?id=org.mulliner.telstop

Posted Images

Guest Al_1604

Guest Al_1604

Posted
Posted

Would be helpful if someone on unmodified b892 would post a photo (not a screenshot) showing both the G300 and the effect of visiting the proof of concept url. You'll need to blank out part of your imei in any uploaded pic.

Sorry, can't post a photo of it but can definitely confirm 100% that totally stock unmodified B892 displays the IMEI immediately on visiting the proof of concept site.

Link to comment
Share on other sites
Guest Colossae3.23

Guest Colossae3.23

Posted
Posted (edited)

I thought the point of the alternate dialler was to intercept remote access, which installing any extra dialler seems to do... instead of the code being automatically executed, you're prompted to choose a program to run it. Which for users is a simple choice if they didn't intend to run the dialler code. Did I get that wrong then?

I thought that too at first but once I choose the dialer (in the pop up) it still gave me my imei, which means that an USSD attack would be successful. What you want to happen is for the USSD code to show on dialer, queued up sand ready to dial. That means it's not dialling automatically. So then you would just delete (backspace) the code out of the dialer. That's how I understand it...

Edited by Colossae3.23
Link to comment
Share on other sites
Guest fr0do

Guest fr0do

Posted
Posted

I thought that too at first but once I choose the dialer (in the pop up) it still gave me my imei, which means that an USSD attack would be successful. What you want to happen is for the USSD code to show on dialer, queued up sand ready to dial. That means it's not dialling automatically. So then you would just delete (backspace) the code out of the dialer. That's how I understand it...

Why the he'll would you choose the dialler if you didn't mean to launch it but some website had?? Forcing the choice is your 1st line of defence surely?
Link to comment
Share on other sites
Guest Colossae3.23

Guest Colossae3.23

Posted
Posted (edited)

You mean the pop up to choose which dialer, right? Yeah, I think you are right in that regard, because you could just back out of that choice. But, when I was testing it I made exdialer default, and then retested and it automatically showed the imei. So, that was no good.

So, to do what you are saying, you'd have to not make any dialer default, so you always get the choice. I get that, but I don't think that's what those articles were saying. See, the way its working for me now, is it doesn't dial that test code, automatically, even if I make one of them default. The USSD code just sits there on the dialer waiting for you to push call (just like you dialled a number by hand). So you just delete it.

But all that aside, that app that Cyda posted does the trick too, and it suggests whether the code may be malicous or not. That's a nice thing to have :)

PS: @ frodo, I installed 940 with cwm, I wonder if that makes any difference?

@ redflake how did you install it? Cause neither of us have the auto dial issue

Edited by Colossae3.23
Link to comment
Share on other sites
Guest Redflake

Guest Redflake

Posted
Posted (edited)

I thought that too at first but once I choose the dialer (in the pop up) it still gave me my imei, which means that an USSD attack would be successful. What you want to happen is for the USSD code to show on dialer, queued up sand ready to dial. That means it's not dialling automatically. So then you would just delete (backspace) the code out of the dialer. That's how I understand it...

Thats what i get with the stock dialer on stock B940. CWM install. I don't have the auto dial issue as seen below.

post-791090-0-99261800-1348693753_thumb.

Edited by Redflake
Link to comment
Share on other sites
Guest Colossae3.23

Guest Colossae3.23

Posted
Posted

Thats what i get with the stock dialer on stock B940.

yeah that's it. That's what happens to me now. But, when I tried exdialer this morning, it showed the imei number automatically. Now after uninstalling that and using the stock dialer, this is what I get too.How did you install 940? Did you flash the zip in cwm, or did you do the full update method?

Link to comment
Share on other sites
Guest Colossae3.23

Guest Colossae3.23

Posted
Posted

dialer one will not execute the code unprompted.

yeah I got that with dialer one, also. My thing was I jumped the gun last night not really understanding it all, and went loaded both those 3rd party dialers. Thing is, it looks like my stock dialer never had the auto dial issue in the first place, just like redflake is saying.

Link to comment
Share on other sites
Guest Redflake

Guest Redflake

Posted
Posted

yeah that's it. That's what happens to me now. But, when I tried exdialer this morning, it showed the imei number automatically. Now after uninstalling that and using the stock dialer, this is what I get too.How did you install 940? Did you flash the zip in cwm, or did you do the full update method?

I installed B940 with CWM. Think I used B934 update app when I first went to ICS.

Link to comment
Share on other sites
Guest fr0do

Guest fr0do

Posted
Posted (edited)

I think I remember 934 waiting for me to confirm dialling. What base did you cwm over Colossae3.23

I have cyda's linked app too now

Edited by fr0do
Link to comment
Share on other sites
Guest Colossae3.23

Guest Colossae3.23

Posted
Posted (edited)

I think I remember 934 waiting for me to confirm dialling. What base did you cwm over Colossae3.23

I have cyda's linked app too now

I think its 926, that's what I jumped to, from AtomicMod

Edit: sorry just re-read that. I was on Infusion before the cwm to 940. Pretty sure that was the 934 variety of Infusion

Edited by Colossae3.23
Link to comment
Share on other sites
Guest Hogweed

Guest Hogweed

Posted
Posted

Summary: Almost all Android phones have a code used for changing the SIM card PIN. Call this several times with an invalid PUK code and it will lock the SIM permanently. The multiple calls can all be embedded on the one web page.

Personally I've discovered I really like Dialer One. I changed settings for colour scheme and screen layouts and I think it is much better than the stock dialler. Really Like the old school (T9) way of entering a name from your contact list by just entering the first few letters on the NUMERIC keypad. Much faster for me anyway. Set as my default for now.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept