How a Single SMS with WAP Crap can Break your Samsung Galaxy phone

Security researchers from Contextis disclosed a bug in Samsung Galaxy phones that can be triggered remotely with SMS, which when combined give chances to ransomware peddlers.

Samsung Mobile Security Team rushed to settle the issues, giving a good example of how coordinated disclosure should happen.

OMA CP protocol

WAP Push can be used to transport information for a large number of utilization. The application that got by researchers was the Open Mobile Alliance Client Provisioning (OMA CP) protocol that permits remote gadget provisioning and configuration.

Now let’s see if it works in practice. On Samsung Galaxy gadgets, including the S7 which was the freshest gadget then, OMA CP messages are dealt with by the “omacp” application.

Researchers used their SMS test rig to check some custom OMA CP SMS messages and send them to the gadgets.

As it turns out, our rig was able to send these messages to these devices and they were received and rightly processed, despite no authentication details being present in the message and completely ignores the security field of the message.

Analysis

Then omacp app was analyzed to recognize any code streams where configurations are acknowledged without client cooperation. There were a few pieces of information this might be conceivable, for example, a check for “xcpSetBgInstall” which insights towards a conceivable background install.

A capacity called xcpInstallWifiSetting additionally appeared to dependably be called if there were settings inside the configuration message.

OTA

In order to trigger the bug over the air, they use to go back to the omacp app and work out the message format. The app makes use of a native C library “libomacp“, which handles the parsing of configuration messages – it’s finally time to crack open IDA and do some proper reversing.

After a bit of IDA Pro magic, they identified how to build a WBXML encoded WAP-Push message to set some Wi-Fi settings. In the process, we also found a WBXML parsing bug that is registered as CVE-2016-7990.

BUG IDS

They also found a remote code execution on vulnerability on Samsung devices on the S5 and below, detailed in the following CVEs:

• CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver
• CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime
• CVE-2016-7990 – Integer overflow in libomacp.so
• CVE-2016-7991 – omacp app ignores security fields in OMA CP message

Exposure

The scientists watched that vulnerable earlier version of the phone are shockingly prevalent around the globe.

As indicated by Context IS, it would not be that difficult to transform the assault into a potential ransomware situation, with attackers requesting that a Bitcoin installment is made before a settle is sent (once more, by means of a malevolently made SMS message):

Available Fixes

Given the reversible nature of this attack (a second SMS could be sent that restored the device to its unbroken state), it does not require much imagination to construct a potential ransomware scenario for these bugs.

Samsung has now released a security update that addresses these among other vulnerabilities and as is our usual advice, it is recommended that users prioritize the installation of these updates.

They got out disclosure of how the bugs apply to various phones as a practice for various developers.

Likewise Also Read; Within five attempts Android device’s Pattern Lock can be cracked

Disclosure

• 17^th June 2016 – Issues disclosed to vendor.
• 21^st June 2016 – Received acknowledgment from vendor.
• 28^th June 2016 – Received request for further details on one of the bugs.
• 14^th July 2016 – Received notification that all but one bug had been fixed.
• 23^rd August 2016 – Received notification from vendor that all issues are fixed and that patch would be released in October.
• 7^th October 2016 – Received notification from vendor that patch is delayed until Nov 7^th.
• 7th November 2016 – Patches released.