J2ME security vulnerabilities
Hello all,
Since I received information from SUN Microsystems that they did not
plan to release
Sun Alert for the issues I found in their CLDC [1] reference
implementation, I would
like to announce the following.
I found two very serious security vulnerabilities in Java technology for
mobile
devices (Java 2 Micro Edition) that might be affecting about 250
millions [2] of
mobile phones coming from Nokia, Siemens, Panasonic, Samsung, Motorola
and others
[3]. Information about these flaws has been published at Hack In the Box
Security
Conference [4] earlier this month in Kuala Lumpur, Malaysia.
Both vulnerabilities are implementation flaws in bytecode verifier
component of
KVM (Java Virtual Machine for mobile devices) developed by SUN
Microsystems. Each
of the flaws can be used to completely break Java security (Java type
and memory
safety) on a mobile device and to obtain access to the phone data and
underlying
operating system's functionality.
I verified on my Nokia DCT4 phone that malicious code exploiting one of
the flaws
can steal data from the phone (i.e. phonebook, SMS messages), establish
communication
with the Internet, send arbitrary SMS messages, write permanent memory
of the phone
(FLASH), interfere with or intercept IPC communication occuring between
native Nokia
OS tasks, install resident code on the phone. Any of the aforementioned
actions can
be conducted without user knowledge and permission.
I would like to emphasize that although escaping the KVM sandbox and
breaking Java
type and memory safety is almost straightforward, conducting malicious
actions on
a given device is rather difficult as it usually requires deep knowledge
about the
internal operation of the underlying OS (I spent four months reverse
engineering
Nokia OS before I could do anything malicious from Java appplication on
my phone).
I plan to release a research paper with all the details about the flaws
including
device specific information and some additional material that didn’t fit
into my
HITB talk, in a couple of months (1Q 2005).
Best Regards
Adam Gowdiak
Security Team of
POZNAN SUPERCOMPUTING AND NETWORKING CENTER
http://www.man.poznan.pl
[1] http://java.sun.com/products/cldc/
[2] http://media.corporate-ir.net/media_files/NYS/NOK/Beijing/mestaranta.pdf
[3] http://jal.sun.com/webapps/device/device
[4] http://conference.hackinthebox.org