NEWS -April 23. 2012
by Carol~ - 4/23/12 8:55 AM
Researchers Find Bug in SMS App That Can Lead to iPhone Exploits
Researchers have identified a bug in an application that can enable attackers potentially to gain control of a victim's iPhone. The app in question, TreasonSMS, enables users to send SMS messages from a desktop Web browser by using their iPhones as Web servers.
The bug lies in the way that the TreasonSMS app handles certain scripts. According to an advisory from Vulnerability Lab, attackers in some cases can exploit the vulnerability in the iPhone app in order to gain complete control of an affected device.
"A HTML Inject & a File Include vulnerabilit is detected on TreasonSMS IPhone application. The vulnerability allows an remote attacker to include malicious persistent script codes on application-side of the iphone. This possible way allows the attacker also to inject for example webshell scripts to get control of the affected application folder. When the IPhone is jailbreaked the vulnerability exploitation can also result full controll of the affected IPhone. The Bug is located in the input fields of the Message Sending & Message Output. An attacker can scan the victim on walkthrough because the ip of the webserver makes the treasonSMS available to anybody without password," the advisory says.
Continued : http://threatpost.com/en_us/blogs/researchers-find-bug-sms-app-can-lead-iphone-exploits-042312