Jolla Phone tel URI Spoofing

From: NSO Research <nso-research@sotiriu.de>
To: fulldisclosure@seclists.org,bugtraq@securityfocus.com
Cc: cve-assign@mitre.org
Subject: Jolla Phone tel URI Spoofing
Date:



______________________________________________________________________
-------------------------- NSOADV-2015-001 ---------------------------

                     Jolla Phone tel URI Spoofing
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  Jolla Phone tel URI Spoofing
  Severity:               Low
  Advisory ID:            NSOADV-2015-001
  Date Reported:          2015-01-29
  Release Date:           2015-03-13
  Author:                 Nikolas Sotiriu
  Website:                http://sotiriu.de
  Twitter:                http://twitter.com/nsoresearch
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2015-001.txt
  Vendor:                 Jolla (https://www.jolla.com/)
  Affected Products:      Jolla Phone
  Affected Versions:      <= Sailfish OS 1.1.1.27 (Vaarainjärvi)
  Remote Exploitable:     Yes
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu



Description:
============

The Sailfish OS of the Jolla Phone contains a vulnerability that allows
to spoof the phone number, passed by a tel URI through an A HREF of a
website with some spaces (HTML &#32;).

This could be used to trick a victim to dial a premium-rate telephone
number, for example.



Proof of Concept:
=================

<a href="tel:0000000000[25xSpaces]Spoofed Text[38Spaces]aaaaa">Call</a>

Test Site http://sotiriu.de/demos/callspoof.html



Solution:
=========

Install Version 1.1.2.16 (Yliaavanlampi)

https://together.jolla.com/question/82037/release-notes-upgrade-112-
yliaavanlampi-early-access/



Disclosure Timeline:
====================

2015-01-28: Asked for a PGP Key (security@jolla.com)
2015-01-29: Got the PGP Key
2015-01-29: Sent vulnerability information to vendor
2015-01-29: Feedback that the vendor is looking into the problem
2015-01-30: Got detailed information about the patch process and
            timeline
2015-02-19: Got an E-Mail that the patched version is released
2015-03-13: Release of this advisory









Copyright © 1995-2018 LinuxRocket.net. All rights reserved.