J2ME security vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: J2ME security vulnerabilities
From: Adam Gowdiak <zupa@xxxxxxxxxxxxx>
Date: Fri, 22 Oct 2004 14:01:10 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: hidden


Hello all,

Since I received information from SUN Microsystems that they did notplan to releaseSun Alert for the issues I found in their CLDC [1] referenceimplementation, I would

like to announce the following.

I found two very serious security vulnerabilities in Java technology formobiledevices (Java 2 Micro Edition) that might be affecting about 250millions [2] ofmobile phones coming from Nokia, Siemens, Panasonic, Samsung, Motorolaand others[3]. Information about these flaws has been published at Hack In the BoxSecurity

Conference [4] earlier this month in Kuala Lumpur, Malaysia.

Both vulnerabilities are implementation flaws in bytecode verifiercomponent ofKVM (Java Virtual Machine for mobile devices) developed by SUNMicrosystems. Eachof the flaws can be used to completely break Java security (Java typeand memorysafety) on a mobile device and to obtain access to the phone data andunderlying

operating system's functionality.

I verified on my Nokia DCT4 phone that malicious code exploiting one ofthe flawscan steal data from the phone (i.e. phonebook, SMS messages), establishcommunicationwith the Internet, send arbitrary SMS messages, write permanent memoryof the phone(FLASH), interfere with or intercept IPC communication occuring betweennative NokiaOS tasks, install resident code on the phone. Any of the aforementionedactions can

be conducted without user knowledge and permission.

I would like to emphasize that although escaping the KVM sandbox andbreaking Javatype and memory safety is almost straightforward, conducting maliciousactions ona given device is rather difficult as it usually requires deep knowledgeabout theinternal operation of the underlying OS (I spent four months reverseengineeringNokia OS before I could do anything malicious from Java appplication onmy phone).

I plan to release a research paper with all the details about the flawsincludingdevice specific information and some additional material that didn’t fitinto my

HITB talk, in a couple of months (1Q 2005).

Best Regards
Adam Gowdiak

Security Team of
POZNAN SUPERCOMPUTING AND NETWORKING CENTER
http://www.man.poznan.pl

[1] http://java.sun.com/products/cldc/
[2] http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf
[3] http://jal.sun.com/webapps/device/device
[4] http://conference.hackinthebox.org

Prev by Date: [Security Bulletin] SSRT4807 HP-UX stmkfont local unauthorized privileged access
Next by Date: MDKSA-2004:114 - Updated gpdf packages fix DoS vulnerability
Previous by thread: [Security Bulletin] SSRT4807 HP-UX stmkfont local unauthorized privileged access
Next by thread: MDKSA-2004:114 - Updated gpdf packages fix DoS vulnerability
Index(es):
- Date
- Thread