Tuesday, October 25, 2011

Mobile phones vulnerable to OBEX FTP Service Directory Traversal in Japan

HTC mobile phones running the following versions of Windows Mobile and Android are affected by the HTC / Windows Mobile OBEX FTP Service Directory Traversal Vulnerability (Bugtraq ID 33359) and the HTC / Android OBEX FTP Service Directory Traversal Vulnerability (Bugtraq ID 48821), respectively.

PlatformWindows MobileAndroid
VulnerableWindows Mobile 6 ProfessionalAndroid 2.1
Windows Mobile 6 StandardAndroid 2.2
Windows Mobile 6.1 Professional
Windows Mobile 6.1 Standard
Fixed (upon disclosure)Windows Mobile 6.5Android 2.3

After carrying out several tests in mobile phones sold in Japan by different operators, I can state that the following handsets are vulnerable, up to September 2011.

PlatformProduct nameOperator nameStatus
Windows MobileHTC TOUCH™ DUALDoCoMo HT1100Discontinued
HTC TOUCH™ DIAMONDDoCoMo HT-02ADiscontinued
HTC TOUCH™ PRODoCoMo HT-01ADiscontinued
HTC TyTN II™EMobile S11HTOn sale
HTC TOUCH™ DUALEMobile S12HTOn sale
HTC S740EMobile S22HTOn sale
AndroidHTC ARIAEMobile S31HTOn sale
HTC DESIRESoftbank X06HTOn sale
HTC DESIRESoftbank X06HTIIOn sale
HTC DESIRE HDSoftbank 001HTOn sale
HTC EVO WiMAXAu KDDI ISW11HTOn sale

Regarding the security hotfix for Windows Mobile, HTC discontinued the support downloads for Windows Mobile 6 and Windows Mobile 6.1 handsets time ago. Unfortunately, the operator EMobile did not install the hotfix when it was available and as far as I could test products on sale are vulnerable. Users have no way to protect their handsets against the vulnerability.

Regarding the security hotfix for Android, HTC has not announced any security update related to the vulnerability for the affected versions, Android 2.1 and Android 2.2. The advisory was, however, reported to the company in 2011/02 (then disclosed in 2011/07) and the security flaw was fixed for Android 2.3. Users of HTC / Android products should update to Android 2.3 to protect their handsets.