Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2013-10001: HTC's E-Mail Client Fails to verify Server Certificates

A vulnerability was found in HTC One/Sense 4.x. It has been rated as problematic. Affected by this issue is the certification validation of the mail client. An exploit has been disclosed to the public and may be used.

CVE
Open in Source
#vulnerability#ios#android#perl#auth#ssl

HTC’s E-Mail Client Fails to verify Server Certificates

We decided not to release an official advisory, but to write this short and hopefully entertaining blogpost about a stupid, but severe bug we recently discovered.

Severity: medium to high
Vendor: HTC
Products we known to be affected:

  • Mail Version 5.2.2222282614.528614.528614 on an HTC One SV with Android 4.0.4, HTC Sense 4.1, HTC SDK API 4.25
  • Mail Version 5.5.550363 running on an HTC One X with Android 4.1.1, HTC Sense 4+ HTC SDK API 4.63

Short Summary

modzero identified a vulnerability in HTC’s default mail client. If the user chooses encrypted and authenticated communication to a mail server, the application does not verify the server’s certificate and automatically accepts any certificate without asking or warning the user. Thus, an attacker is able to intercept a user’s credential and e-mails, especially in rogue access point scenarios.

Whole Story

While analyzing a wireless infrastructure, we were testing station behaviour regarding rogue access-points. Using airbase-ng and some metasploit capture server modules, the set-up was painless and straight forward.

YEP, it works as expected; the phone connects to the rogue network and tries to pull the e-mails from the SSL protected POP3 or IMAP servers. The iPhone did properly show a certificate warning, because it could not verify the certificate while trying to get the e-mails. Lets check how the other phones behave. Booom - a username and password was captured!

Wait a second? SSL was enabled on all the configs right? Let’s check the config the HTC ONE X android phone again? YEP,SSL enabled -maybe something is broken or someone had accept the certificate already or … whatever … So we setup another fake e-mail account and gave it a go.

Again, the password showed up and no certificate warning was visible on the HTC ONE X e-mail client at all. This happens for POP and IMAP accounts.

Great!Everyone can man-in-the-middle your apparently SSL protected e-mail communication. FSCK … impossible …

Lets compare the available settings of a HTC Android phone and a regular android phone:

Did the guys at HTC wanted to make the user experience better? More options might just confuse their users? In fact the “SSL” setting on the HTC e-mail client does behave like the “SSL accept allcertificates” setting on other Android e-mail clients.

Using SSL is completely pointless, if you don’t verify the certificates at all.

We did not even bother to check what they precisely messed up in the E-Mail client code. HTC, please go and fix it. This is plain stupid. Other versions might be affected as well. Feel free to e-mail us regarding other affected versions.

Credits:

  • Max Moser
  • Martin Schobert

Posted by modzero | Permanent link | File under:

rant,

crypto

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE