Discovered vulnerabilities can be exploited by malicious people to gain total control of the pentester's system.
The company High-Tech Bridge Security published a notice describing multiple vulnerabilities in Smartphone Pentest Framework (SPF) - a product designed to find vulnerabilities in smartphones.
Smartphone Pentest Framework was presented at this year's conference Blackhat, Defcon, Bsides and received a grant from DARPA Cyber Fast Track to the development of a promising project.
Can be exploited by malicious people to conduct CSRF attack to gain access to sensitive information, execute arbitrary SQL commands to the database application and execute arbitrary commands on the system. The presence of unsafe file permissions allow local users to gain escalated privileges.
Analysis of the source code of the project showed that the developers have not implemented any security mechanism to protect applications from attack. Any filtering of input data is missing completely, which is the reason for such a huge number of detected vulnerabilities. In conjunction with the vulnerabilities, the researchers also published PoC code with examples of exploitation, which demonstrate how easy it is to take control of the affected system by interacting with the user (using CSRF attack), and without it all.
At the moment of vulnerability is not addressed by the manufacturer. Moreover, the manufacturer refused to support this product.
A detailed description of the vulnerability can be found at: http://malwarelist.wordpress.com/2012/11/15/vulnerabilities-in-smartphone/
No comments:
Post a Comment