mailing list archives
J2ME security vulnerabilities
From: Adam Gowdiak <zupa () man poznan pl>
Date: Fri, 22 Oct 2004 14:01:10 +0200
Since I received information from SUN Microsystems that they did not
plan to release
Sun Alert for the issues I found in their CLDC  reference
implementation, I would
like to announce the following.
I found two very serious security vulnerabilities in Java technology for
devices (Java 2 Micro Edition) that might be affecting about 250
millions  of
mobile phones coming from Nokia, Siemens, Panasonic, Samsung, Motorola
. Information about these flaws has been published at Hack In the Box
Conference  earlier this month in Kuala Lumpur, Malaysia.
Both vulnerabilities are implementation flaws in bytecode verifier
KVM (Java Virtual Machine for mobile devices) developed by SUN
of the flaws can be used to completely break Java security (Java type
safety) on a mobile device and to obtain access to the phone data and
operating system's functionality.
I verified on my Nokia DCT4 phone that malicious code exploiting one of
can steal data from the phone (i.e. phonebook, SMS messages), establish
with the Internet, send arbitrary SMS messages, write permanent memory
of the phone
(FLASH), interfere with or intercept IPC communication occuring between
OS tasks, install resident code on the phone. Any of the aforementioned
be conducted without user knowledge and permission.
I would like to emphasize that although escaping the KVM sandbox and
type and memory safety is almost straightforward, conducting malicious
a given device is rather difficult as it usually requires deep knowledge
internal operation of the underlying OS (I spent four months reverse
Nokia OS before I could do anything malicious from Java appplication on
I plan to release a research paper with all the details about the flaws
device specific information and some additional material that didn’t fit
HITB talk, in a couple of months (1Q 2005).
Security Team of
POZNAN SUPERCOMPUTING AND NETWORKING CENTER
Full-Disclosure - We believe in it.
- J2ME security vulnerabilities Adam Gowdiak (Oct 22)