Jump to content

Stock Dialer Vulnerability might wipe out your mobile data completely

Guest anantk

By Guest anantk
in ZTE Blade / Libra - Blade.MoDaCo.com

 Share

Recommended Posts

Guest anantk

Guest anantk

Posted
Posted

Hello,

Watchout for Android Dialer Vulnerability present in Samsung Dialer. This is applicable to ZTE Blade also.

Check this article --> http://www.gizmodo.com.au/2012/09/touchwiz-security-bug-could-wipe-your-samsung-galaxy-phone/

Take care by installing third party Dialer App from Google Play Store like "Go Contacts EX" or "Dialer One", otherwise your mobile will do factory reset by clicking on malicious link and your phone data will be completely wiped out.

I am running Swedish Snow ROM and found that my IDEA ZTE Blade (256MB RAM) is vulnerable. I have patched my mobile with "Go Contacts EX" dialer. Now it is not vulnerable as per test mentioned in above said URL.

Guest anantk

Guest anantk

Posted
Posted

In the current Cyanogenmod nightly (30.09.2012), this is fixed.

http://get.cm/get/je...GHTLY-blade.zip

Can there be some patch to apply over Swedish Snow ROM for this issue or KonstaT needs to include the above mentioned fix in SS RLS7 ROM and release new ROM?

KonstaT --> Could you please let us know whether this Dialer vulnerability present in ZTE Smart Dialer or not?. Otherwise we could apply your Add-on mentioned below to resolve this vulnerability:

-SS-RLS7-ZTE-Dialer (ZTE Smartdialer, contacts and messaging - requires full wipe)

http://www.mediafire.com/?s1c1kzy1sbnjy4o

MD5:5F4125CC9ACE5688553E41A1ACD9912D

Please let us know and Thanks in advance.

Guest KonstaT

Guest KonstaT

Posted
Posted

Swedish Snow with ZTE dialer is not vulnerable to USSD exploit. And even if it was, it isn't my job to fix ZTE software. In that case most (if not all) ZTE stock firmware would be vulnerable and you should make ZTE aware of this and request an update.

Here is a quick test that would open sensor calibration if USSD codes could be run via browser. Save it to the root of your sdcard as ussd.html. Open address file:///sdcard/ussd.html in browser. It does open dialer but the code is not executed. If you try to call it, it will complain about invalid code. Dialing the code in dialer will open calibration directly (you'll barely see the screen in the first screenshot).



<html>

<head><title>ZTE USSD Exploit Test</title>

</head>

<body>

<p>ZTE USSD Exploit Test</p>

<iframe width="4" height ="4" src="tel:*%2326***%23"></iframe>

</body>

</html>

[/CODE]



post-834050-0-34594100-1349371982_thumb.post-834050-0-05402200-1349371999_thumb.
Guest anantk

Guest anantk

Posted
Posted (edited)

Swedish Snow with ZTE dialer is not vulnerable to USSD exploit. And even if it was, it isn't my job to fix ZTE software. In that case most (if not all) ZTE stock firmware would be vulnerable and you should make ZTE aware of this and request an update.

Here is a quick test that would open sensor calibration if USSD codes could be run via browser. Save it to the root of your sdcard as ussd.html. Open address file:///sdcard/ussd.html in browser. It does open dialer but the code is not executed. If you try to call it, it will complain about invalid code. Dialing the code in dialer will open calibration directly (you'll barely see the screen in the first screenshot).


<html>

<head><title>ZTE USSD Exploit Test</title>

</head>

<body>

<p>ZTE USSD Exploit Test</p>

<iframe width="4" height ="4" src="tel:*%2326***%23"></iframe>

</body>

</html>

post-834050-0-34594100-1349371982_thumb.post-834050-0-05402200-1349371999_thumb.

Thanks KonstaT for prompt response and glad to know that ZTE dialer is not vulnerable to USSD codes.

Now to install SS-RLS7-ZTE-Dialer from the link you have provided, it is mentioned that, it requires "Full Wipe". Does this mean, I need to follow below steps in CWM, which means I will loose all data from phone internal memory?

1. Select ‘Wipe data/factory reset’ > ‘Yes – delete all user data’.

2. Select the option Cache Partition’ > ‘Yes Wipe cache’.

3. Go to ‘Advanced’ and select ‘Wipe Dalvik Cache’ > ‘Yes – Wipe Dalvik Cache’.

or just applying the SS-RLS7-ZTE-Dialer Add-On zip file from CWM will do the job, without doing any wipe.

Other thing is, I have taken ZTE dialer backup with Titanium Backup from Stock ROM, before flashing SS-RLS7 ROM. So just restoring ZTE Dialer app from Titanium Backup will work or I must to apply SS-RLS7-ZTE-Dialer Add-On patch provided by you?

Please let me know and thanks in advance.

Edited by anantk
Guest kyan31

Guest kyan31

Posted
Posted (edited)

Just get avast. It has USSD protection and root features.

Edited by kyan31
Guest anantk

Guest anantk

Posted
Posted (edited)

Just get avast. It has USSD protection and root features.

Antivirus S/W like Avast may be good, but it will eat up memory and slow down the mobile. Mine is 256 MB physical RAM ZTE Blade model.

I am not able to restore ZTE Dialer backup taken from the Stock ROM by Titanium Backup, probably because it is system application. Titanium Backup stays on the "Restoring app" text forever during restore.

If I am able to install ZTE Dialer from KonstaT's Add-on zip without loosing data, it will be great. Otherwise I will have to backup the phone data then wipe-out the phone and install the ZTE Dialer Add-On to fix the current Dialer vulnerability.

Hoping to see KonstaT's view on this soon.

Edited by anantk
Guest KonstaT

Guest KonstaT

Posted
Posted

@anantk

You lost me a long time ago. I have no idea what's the problem and where. :P

Lets recap:

SS7 with default (CM7) dialer: doesn't have access to ZTE USSD codes, not vulnerable

SS7 with ZTE dialer add-on: has access to USSD codes, doesn't execute, not vulnerable

Guest anantk

Guest anantk

Posted
Posted (edited)

@anantk

You lost me a long time ago. I have no idea what's the problem and where.

Lets recap:

SS7 with default (CM7) dialer: doesn't have access to ZTE USSD codes, not vulnerable

SS7 with ZTE dialer add-on: has access to USSD codes, doesn't execute, not vulnerable

@KonstaT

Swedish Snow RLS7 + SS-RLS7-Stock-Kernel-Gen2.zip (stock kernel) with default dialer is vulnerable as per test link http://www.isk.kth.s...o/testussd.html. If we click on this test link from ZTE Blade having SS7 with default Dailer, we see the IMEI code pop up.

Edited by anantk
Guest KonstaT

Guest KonstaT

Posted
Posted

This is flawed in so many ways starting from thread title to the test you're referring to. There is certain difference between might be vulnerable and is vulnerable. I guess who designed that test forgot to mention that. ;) It will give (false) positive on most devices and all devices running AOSP/CyanogenMod builds besides jelly bean (or recent CM builds from this week).

IMEI display is coded into AOSP contacts app, but there are no other USSD codes present. This vulnerabily is only dangerous with USSD codes that a device manufacturer has added to their own engineering purposes. There is a list of ZTE dialer codes here. You simply can't run ZTE specific USSD codes (that could possibly harm your device) using AOSP/CM7 dialer. This is only possible with ZTE dialer.

There is a test couple of post up that is targeted for ZTE Blade. If it opens sensor calibration, your device would be vulnerable - otherwise not. Feel free to test it whatever dialer you please.

Guest anantk

Guest anantk

Posted
Posted (edited)

This is flawed in so many ways starting from thread title to the test you're referring to. There is certain difference between might be vulnerable and is vulnerable. I guess who designed that test forgot to mention that. It will give (false) positive on most devices and all devices running AOSP/CyanogenMod builds besides jelly bean (or recent CM builds from this week).

IMEI display is coded into AOSP contacts app, but there are no other USSD codes present. This vulnerabily is only dangerous with USSD codes that a device manufacturer has added to their own engineering purposes. There is a list of ZTE dialer codes here. You simply can't run ZTE specific USSD codes (that could possibly harm your device) using AOSP/CM7 dialer. This is only possible with ZTE dialer.

There is a test couple of post up that is targeted for ZTE Blade. If it opens sensor calibration, your device would be vulnerable - otherwise not. Feel free to test it whatever dialer you please.

Thanks a lot KonstaT. I got exactly same results for your test html as you mentioned. It opens the default SS7 dialer, but when I try to dial, it says "connection problem or invalid MMI code.

So we can safely assume that Dialer bundled with SS7 is not vulnerable, as you mentioned.

Now with "Go Contacts Ex" App, I got only *26*** instead of *#26***#, which is more safe I guess, as # characters are missing in the dialer.

Sorry to bother you, but in case I want to install SS-RLS7-ZTE-Dialer from the link you have provided (as it has added functionality over default Dialer), it is mentioned that, it requires "Full Wipe". Does this mean, I need to follow below steps in CWM, which means I will loose all data from phone internal memory?

1. Select ‘Wipe data/factory reset’ > ‘Yes – delete all user data’.

2. Select the option Cache Partition’ > ‘Yes Wipe cache’.

3. Go to ‘Advanced’ and select ‘Wipe Dalvik Cache’ > ‘Yes – Wipe Dalvik Cache’.

or just applying the SS-RLS7-ZTE-Dialer Add-On zip file from CWM will do the job, without doing any wipe.

Please let me know.

Really appreciate your work and Thanks in advance.

Edited by anantk
Guest t0mm13b

Guest t0mm13b

Posted
Posted

Check this linky to the gist page, in which the patch is integrated into t0mm13bROM, also, it will prompt and warn you if a webpage has a iframe that contains a 'tel:' followed by a unknown number which could be a premium number and its buh-bye to your pay-as-you-go credit or contract billing...(if you do not recognize it, it will still alert you to it)

Guest anantk

Guest anantk

Posted
Posted (edited)

Check this linky to the gist page, in which the patch is integrated into t0mm13bROM, also, it will prompt and warn you if a webpage has a iframe that contains a 'tel:' followed by a unknown number which could be a premium number and its buh-bye to your pay-as-you-go credit or contract billing...(if you do not recognize it, it will still alert you to it)

I have applied SS-RLS7-ZTE-Dialer Add-On zip file on SS-RLS7 after full wipe. If we run ussd test html provided by KonstaT, even this ZTE dialer blocks USSD calls, as it first stops at dialer with *#26***# and then you need to press "call" to dial, which gives message "connection problem or invalid MMI code." But if you directly enter *#26***# in the dialer without opening any html, then it straightaway displays sensor calibration screen.

Is this mean ZTE dialer is vulnerable?

Edited by anantk
Guest Snap.IT

Guest Snap.IT

Posted
Posted

I have applied SS-RLS7-ZTE-Dialer Add-On zip file on SS-RLS7 after full wipe. If we run ussd test html provided by KonstaT, even this ZTE dialer blocks USSD calls, as it first stops at dialer with *#26***# and then you need to press "call" to dial, which gives message "connection problem or invalid MMI code." But if you directly enter *#26***# in the dialer without opening any html, then it straightaway displays sensor calibration screen.

Is this mean ZTE dialer is vulnerable?

Yes, if someone steals your phone, manually enters the code to wipe data and then returns the phone to you you're screwed.

Guest anantk

Guest anantk

Posted
Posted (edited)

Yes, if someone steals your phone, manually enters the code to wipe data and then returns the phone to you you're screwed.

What I mean to ask, whether ZTE Dialer is vulnerable by clicking any web page. Is there way that code in any web page url will automatically execute the ZTE Blade codes, without waiting for the Dialer to pop up and asking for pressing call button when url contains tel: followed by ZTE code?

Technically speaking what is the difference when someone clicks the URL contaioning tel: followed by ZTE codes and directly entering the ZTE codes through Dialer?. Why clicking url containing tel: followed by ZTE secret code waits at Dialer prompt and does not execute the code directly?

Edited by anantk
Guest Snap.IT

Guest Snap.IT

Posted
Posted

What I mean to ask, whether ZTE Dialer is vulnerable by clicking any web page. Is there way that code in any web page url will automatically execute the ZTE Blade codes, without waiting for the Dialer to pop up and asking for pressing call button when url contains tel: followed by ZTE code?

Technically speaking what is the difference when someone clicks the URL contaioning tel: followed by ZTE codes and directly entering the ZTE codes through Dialer?. Why clicking url containing tel: followed by ZTE secret code waits at Dialer prompt and does not execute the code directly?

Heh, ok technically speaking it's like someone not having a key to your door and somone not only having a key to your door but already being inside your house.

What you can manually do on any computer (and your phone is a computer) and what you can remotely do on it is quite different, you tried the script and it didn't make your phone do anything, now you are saying that if you try it ON YOUR PHONE then it will execute your code... now think real hard about this... what does that mean?

Does it mean:

1. The Koreans are taking over the world and samsung is the name for an old school footie player.

or

2. If the person wanting to harm you has physical access entering a code would be the least of your problems.

Answer swiftly and you have the chance to win a free samsung galaxy 1 or a fender from an old volvo.

I don't know if i should continue this or just tell you that you're being daft, physical access is one thing you CANNOT get around, ALL phones are ALWAYS vulnerable if someone has physical access, not just from entering codes, they could just step on them.

Just don't ever use Lewa ROM and you'll be fine, all latest roms on this site do NOT have this exploit and that goes for the dialer you mentioned too.

Guest anantk

Guest anantk

Posted
Posted

Heh, ok technically speaking it's like someone not having a key to your door and somone not only having a key to your door but already being inside your house.

What you can manually do on any computer (and your phone is a computer) and what you can remotely do on it is quite different, you tried the script and it didn't make your phone do anything, now you are saying that if you try it ON YOUR PHONE then it will execute your code... now think real hard about this... what does that mean?

Does it mean:

1. The Koreans are taking over the world and samsung is the name for an old school footie player.

or

2. If the person wanting to harm you has physical access entering a code would be the least of your problems.

Answer swiftly and you have the chance to win a free samsung galaxy 1 or a fender from an old volvo.

I don't know if i should continue this or just tell you that you're being daft, physical access is one thing you CANNOT get around, ALL phones are ALWAYS vulnerable if someone has physical access, not just from entering codes, they could just step on them.

Just don't ever use Lewa ROM and you'll be fine, all latest roms on this site do NOT have this exploit and that goes for the dialer you mentioned too.

Hi Snap.IT,

Sorry to say, but I did not get answers to my below questions:

Is there way that code in any web page url will automatically execute the ZTE Blade codes, without waiting for the Dialer to pop up and asking for pressing call button when url contains tel: followed by ZTE code?

Technically speaking what is the difference when someone clicks the URL contaioning tel: followed by ZTE codes and directly entering the ZTE codes through Dialer?. Why clicking url containing tel: followed by ZTE secret code waits at Dialer prompt and does not execute the code directly?

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept