[29167] in bugtraq
Re: Siemens *35 and 45 series phones SMS Danial of Service
daemon@ATHENA.MIT.EDU (Robert Waldner)
Tue Mar 4 15:22:01 2003
Message-Id: <200303040853.h248rmgX002920@beren.intern.coretec.at>
To: bugtraq@securityfocus.com
In-reply-to: Your message of "Mon, 03 Mar 2003 23:46:09 +0100."
<20030303224609.GA5114@gondor.com>
From: Robert Waldner <rw@coretec.at>
Date: Tue, 04 Mar 2003 09:53:33 +0100
MIME-Version: 1.0
content-Type: multipart/signed; boundary="----------=_1046768028-557-47"; micalg="pgp-sha1"; protocol="application/pgp-signature"
------------=_1046768028-557-47
Content-type: text/plain; charset=iso-8859-1
content-transfer-encoding: quoted-printable
On Mon, 03 Mar 2003 23:46:09 +0100, Jan Niehusmann writes:
>On Mon, Mar 03, 2003 at 01:06:43AM -0000, subj subj wrote:
>> To vulnerability are subject: All versions siemens *35 and *45.
>[...]
>> languages from the phone language selection menu, will
>> completely disable *35 series phones and result
>> in a 2 minute read delay on *45 series phones. Note that
>Please note that this vulnerability isn't as serious as you describe it.
>At least on my S45, I am able to interrupt this 2 minute delay at any
>time by pressing the 'hang up' key (but I have to press it for about half a
>second instead of just hitting it), the message can be read by using
>'edit message' instead of 'read message', and it can be deleted without
>problems.
>
>So while this obviously is a bug, it can hardly be called a DoS.
However, my S35i is _completely_ disabled, just as the original poster=20
described, no luck with just pressing the "hang up"-key, one has to=20
yank the battery out. Also, there is no "Edit Message" available until
after one reads a message, and thus disables the phone.
Please also note that if you append something to the "%String", the bug=20
no longer hits (for my S35i, that is). Most web->sms - gateways append
some signature to SMSs, and thus, by sheer luck, can't be used to exploit
this.
cheers,
&rw
--=20
/ Ing. Robert Waldner | Security Engineer | CoreTec IT-Security \
\ <rw@coretec.at> | T +43 1 503 72 73 | F +43 1 503 72 73 x99 /
------------=_1046768028-557-47
Content-Type: application/pgp-signature; name="signature.ng"
Content-Disposition: inline; filename="signature.ng"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+ZGmcsydIrcM6K8ARAmTzAKDRydKQ3fBZIEtMUPrNAZZ0Q6yeHwCfahml
IR3c+uX0/n379PHVDxOKgY0=
=OjI2
-----END PGP SIGNATURE-----
------------=_1046768028-557-47--
