Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-2999 to a friend New vulnerability? New tool? Tell us	CVE-2009-2999 Android Malformed SMS and Dalvik API DoS Vulnerabilities     Credit: The information has been provided by Collin Mulliner and Andrea Barisani. The original article can be found at: http://www.ocert.org/advisories/ocert-2009-014.html Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-2999 Details Check for CVE-2009-2999 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Android version 1.5 CRBxx  * Android version 1.5 and prior Immune Systems:  * Android version 1.5 CBDxx, CRCxx and COCxx  * Android Donut DRC79 Two separate DoS issues have been independently reported to oCERT. The most recent report concerns Android handling of SMS messages: a specific malformed SMS message can be crafted to trigger a condition that disconnects the mobile phone from the cellular network. The malformed SMS message consists of a badly formatted WAP Push message which causes an Java ArrayIndexOutOfBoundsException in the phone application (android.com.phone). The phone application silently restarts without user awareness, this leads to a temporary loss of connectivity (as well as dropping of current calls, if any) which can be prolonged in case the phone SIM is protected by PIN, due to required PIN re-entry and the need for user attention. Triggering this bug (repeatedly in case no PIN is present) is considered a remote DoS condition. The second report addresses a number of issues discovered in the Android's Dalvik API, one of them has been classified by the Android team as a DoS vulnerability which leads to restarting the system process. A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition. All the reported issues have been patched. CVE Information: CVE-2009-2999 Disclosure Timeline: Malformed SMS DoS: 2009-06-19: reporters send report to Android Security team 2009-08-27: assigned CVE 2009-10-05: advisory release Dalvik API DoS: 2009-04-24: vulnerability report received 2009-04-24: contacted Android Security team 2009-10-01: Donut released to users 2009-10-05: advisory release  Comments on CVE-2009-2999:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®