Jolla Phone URI Spoofing

2015-03-13T00:00:00
ID PACKETSTORM:130822
Type packetstorm
Reporter Nikolas Sotiriu
Modified 2015-03-13T00:00:00

Description

                                        
                                            `  
______________________________________________________________________  
-------------------------- NSOADV-2015-001 ---------------------------  
  
Jolla Phone tel URI Spoofing  
______________________________________________________________________  
______________________________________________________________________  
  
111101111  
11111 00110 00110001111  
111111 01 01 1 11111011111111  
11111 0 11 01 0 11 1 1 111011001  
11111111101 1 11 0110111 1 1111101111  
1001 0 1 10 11 0 10 11 1111111 1 111 111001  
111111111 0 10 1111 0 11 11 111111111 1 1101 10  
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100  
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011  
0111111110 0110 1110 1 0 11101111111111111011 11100 00  
01111 0 10 1110 1 011111 1 111111111111111111111101 01  
01110 0 10 111110 110 0 11101111111111111111101111101  
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111  
111110110 10 0111110 1 0 0 1111111111111111111111111 110  
111 11111 1 1 111 1 10011 101111111111011111111 0 1100  
111 10 110 101011110010 11111111111111111111111 11 0011100  
11 10 001100 0001 111111111111111111 10 11 11110  
11110 00100 00001 10 1 1111 101010001 11111111  
11101 0 1011 10000 00100 11100 00001101 0  
0110 111011011 0110 10001 101 11110  
1011 1 10 101 000001 01 00  
1010 1 11001 1 1 101 10  
110101011 0 101 11110  
110000011  
111  
______________________________________________________________________  
______________________________________________________________________  
  
Title: Jolla Phone tel URI Spoofing  
Severity: Low  
Advisory ID: NSOADV-2015-001  
Date Reported: 2015-01-29  
Release Date: 2015-03-13  
Author: Nikolas Sotiriu  
Website: http://sotiriu.de  
Twitter: http://twitter.com/nsoresearch  
Mail: nso-research at sotiriu.de  
URL: http://sotiriu.de/adv/NSOADV-2015-001.txt  
Vendor: Jolla (https://www.jolla.com/)  
Affected Products: Jolla Phone  
Affected Versions: <= Sailfish OS 1.1.1.27 (Vaarainjärvi)  
Remote Exploitable: Yes  
Patch Status: Vendor released a patch (See Solution)  
Discovered by: Nikolas Sotiriu  
  
  
  
Description:  
============  
  
The Sailfish OS of the Jolla Phone contains a vulnerability that allows  
to spoof the phone number, passed by a tel URI through an A HREF of a  
website with some spaces (HTML ).  
  
This could be used to trick a victim to dial a premium-rate telephone  
number, for example.  
  
  
  
Proof of Concept:  
=================  
  
<a href="tel:0000000000[25xSpaces]Spoofed Text[38Spaces]aaaaa">Call</a>  
  
Test Site http://sotiriu.de/demos/callspoof.html  
  
  
  
Solution:  
=========  
  
Install Version 1.1.2.16 (Yliaavanlampi)  
  
https://together.jolla.com/question/82037/release-notes-upgrade-112-  
yliaavanlampi-early-access/  
  
  
  
Disclosure Timeline:  
====================  
  
2015-01-28: Asked for a PGP Key (security@jolla.com)  
2015-01-29: Got the PGP Key  
2015-01-29: Sent vulnerability information to vendor  
2015-01-29: Feedback that the vendor is looking into the problem  
2015-01-30: Got detailed information about the patch process and  
timeline  
2015-02-19: Got an E-Mail that the patched version is released  
2015-03-13: Release of this advisory  
  
  
  
  
`