Tag Archives: exploit

Galaxy S III And Other TouchWIZ Phones Can Be Easily Hard Reset Via The Web Browser

Own a Samsung made Android phone infested with TouchWIZ? A new exploit has been detected that will reset Samsung’s TouchWIZ factory data reset loop, simply by opening a link via the internal web browser, or by reading the code via any NFC tag or via any QR code. There is absolutely no way to reverse the factory data reset process once it is initiated, knowingly or unknowingly by the user.

The exploit works on a bunch of Galaxy series of phones from Samsung including the popular Galaxy S III including the AT&T variant but not the Verizon one, Galaxy S II, Galaxy S Advance and the Galaxy Ace. The exploit is based on a USSD code, which when dialed directly into the phone, will also lead to a factory reset.

Below is a video of the exploit in action -:

One Android developer and hacker, TeamAndIRC, has tweeted that Samsung has already patched the loop hole in the International I9300 and the AT&T variant of the handset in a recent software update.

Hopefully, the company will fix the loophole in other handsets within a short time as well.

Update: According to TeamAndIRC, the issue is with the stock Android browser and is not related to the Samsung browser.

$1 Million Reward Offered by Google for Finding Exploits in Chrome

Google has offered a total of $1 million for hackers in the Pwn2Own hacker contest if they find security exploits in their Chrome browser, the company’s security team announced. In its sixth year of running, the Pwn2Own contest has seen vulnerabilities being exposed for fully patched and functional browsers such as Internet Explorer and Safari. However, no hacker group has tried aiming at Chrome, especially since it is well protected behind a sandbox.

ChromeLogo

Google stated that the rewards – awarded in a first-come first-serve basis to anyone who can show the exploit – will be tiered with $60,000 going for a full-browser exploit, $40,000 for a partial exploit and $20,000 as a consolation reward:-

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.
$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

The rewards will be given away until the $1 million mark is reached. The winners will also receive a Chromebook (yay!). However, Google withdrew from sponsoring Pwn2Own this year, since they found out that the hackers are not required to publish the entire exploit this year.

Originally, our plan was to sponsor as part of this year’s Pwn2Own competition. Unfortunately, we decided to withdraw our sponsorship when we discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors.

iPhone 4S & iPad 2 Untethered iOS 5.0.1 Jailbreak Available

Jailbreakers rejoice, the long awaited and highly anticipated untethered jailbreak for iOS 5.0.1 on the iPhone 4S and iPad 2 is finally available.

It was only a few days ago that the first untethered iOS 5.0.1 jailbreak was shown off on video. It was functional, but declared to still be in testing. Fast forward just 4 days later, and a public release is available for all to download. The Chronic Dev team have announced they have packaged the exploits that allow execution of unsigned code (code named Absinthe A5) into a working untethered jailbreak. Both the iPhone 4S (GSM and CDMA variants), as well as the iPad 2 (GSM, CDMA and Wi-Fi only variants) are targeted and supported in this release.

It took a mass of crash reports, over 10 million, and almost 10 months of work for the team to find an entry point and exploit the new A5 chip. The exploit consists of a series of both userland and kernel level exploits that were dubbed ‘corona’.  The name comes from a vulnerability that was in Apple’s IPSec IKE daemon, named ‘racoon’. Although the app released today, for jailbreaking current iPhone 4S and iPad 2 devices, is only available for Mac OS X users, there is a placeholder for Windows and Linux users. Their respective applications will likely be available soon and will be as simple as a point and click.

In addition to the tools being released, the “iOS Hacking Dream Team” has spawned. It consists of members from the Chronic Dev team (posixninja, pod2g and nikias) and the iPhone-dev team (planetbeing). Both teams have donation pages to thank them for their work and provide funds for hardware upgrades to ensure future devices can be jailbroken.

Opera Browser Vulnerable to Memory Corruption Exploit

In the raging browser wars, features, security and stability are paramount to competing. Opera might want to get a serious handle on things with the next release they push.

There is a memory corruption bug that has been present in Opera 10, 11 and the pre-release of 12 on Windows XP SP3. The vulnerability exists within SVG (Scalable Vector Graphics) layout handling. By nesting SVG functions within XML calls, an attacker is able to crash Opera. While crashing a browser might not seem like a huge deal to some, couple it with code injection and you have an exploit that can lead to complete remote code execution, and then it’s game over.

The exploit, which was discovered over a year ago, was reported to Opera but never fixed. Jose Vasquez, the original author, has published full details on the vulnerability as well as written and released a complete Metasploit module. Metasploit is a security framework for penetration testing, allowing a large number of security professional to collaborate on software and service vulnerabilities.

What might seem like a benign crash of your browser, might turn out to be an attacker positioning themselves to take control of your computer and network. Although it’s been previously broken, Jose also indicates it may be possible to bypass DEP, which is an active security feature provided by Microsoft,  specifically made to prevent unwanted code execution.

In an interview, Opera’s co-founder,  Jon Stephenson von Tetzchner indicated their number of users grew from 50 million in 2009 to over 150 million in just one year. There are a lot of users who are potentially vulnerable to exploitation of this bug. When Opera 11.51 was released, major security and minor stability issues were the reason for the update. If we consider that  this bug has been present since 10.50, disclosed to Opera over a year ago, and still left unfixed — many users may want to look at switching to the very popular Chrome  or Firefox 7  until Opera fixes this issue.

iPhone Users Vulnerable To Address Book Snarfing Via Skype XSS

Skype users on iOS devices should be on the look out for malicious users who intend on stealing their address book.

A vulnerability affecting Skype 3.01 on iOS devices, including the iPod Touch and iPhone, gives an attacker the ability to secretly upload the entire contents of your address book. The hole is due to a non-validated input field in the client, instead of the contents being displayed to the user, they are executed. Coupling XSS with sandbox permissions that do not allow for fine-tuned access control within apps, provides a way for an attacker to steal the contents of an unsuspecting user’s address book.

Skype has been criticised numerous times over identical vulnerabilities in their desktop software, that allowed for remote code to be executed on a victim’s computer. The flaw is one that Skype has had reported numerous times, fixed numerous times, yet they have not completely audited the applications before release.

Phil has detailed the attack performed against an iPhone 4 running iOS 4.3.5 and has indicated that the vulnerability was reported to Skype over a month ago. Hopefully a fix is in the works, but more importantly, hopefully Skype will perform a full check instead of simply throwing input sanitising on the vulnerable text field.