CTF write-up: Lork edition

Ben0xA has outdone himself with his latest CTF challenge.

In a lead up to BSides Detroit, the website hosting the challenges( bsjtf.com) suddenly changed into a terminal prompt.

It asked if I wanted to play a game.

Yes….yes I do.

(If you want to play it yourself, it’s up at https://bsjtf.com/lork/  Don’t read ahead if you want to figure it out for yourself!)

 

 

 

The scenario is that a rogue agent has hacked our server and replaced it with a complex set of puzzles.  First, I had to start the game.  The obvious choice was “Global Thermonuclear War”, as it references WarGames.  However, being inquisitive, I tried every game that showed up at the “LIST GAMES” command.

I got nothing but trolling responses until entering the obvious choice.

Now the real game begins.

The game is titled “Lork” and it is a clone of the old text adventure Zork, which I have fond memories of playing as a kid.  In the starting room, there is only one way to go.

Going that way gets you eaten by a grue.  Unless you turn on your flashlight first.

Now we get our first challenge.  There’s a door locked by a keypad which we have to get through.  The only clue is a note in a closet saying “Mr. Fuzzing’s name must be fuzzed, trimmed, and truncated.”  After playing around with manipulating my entries to try bypassing the keypad, I took note of the fact that the server response was a block of JSON data followed by a zero.  I also noted that although I could enter up to 45 characters, the username returned was cut down to 20.

If you enter any random data, it says you must be ADMIN.  If you enter ADMIN, it says you are not ADMIN.  But, because of the operations listed in the clue (fuzzing, trimming, truncating), I figured out that entering ADMIN followed by 15 spaces and then 1 would let me through.  The spaces pad it out to the maximum length, but they are then trimmed.  The server then has the name ADMIN, but the extra 1 replaces that 0 in the server response.  That changes the admin flag from false to true, and we are on to the next room.

In this room, there is a blank piece of paper, but when a candle is lit with the provided matches, some glowing symbols appear.  The symbols are <~3<~>, <~2#~>, <~1&~>, and <~1B~>.  The number 85 is also on the page.  Also in the room, there is a four digit lock on a trap door under the carpet.

After a little thinking and research, I realized that the symbols were numbers encoded in ASCII85.  I found a decoder online and got 9,5,2, and 3.  I iterated through combinations on the lock until I succeeded with 3592.

Down into the next room.  This one gave me some trouble.  There was a central room with chambers to the North, East, South, and West.  Each of the four chambers had a touch screen and a button.  The central room had a red and a green button on the floor, and a piece of paper.  The paper had a phone number and code on it.

I had seen this phone number in a prior CTF challenge, it’s a voicemail service.  When the number and code were dialed, a series of tones played.  I knew it was an rtty transmission that I needed to decode.

However, between calling on my cell phone and recording to my laptop speaker I got a very degraded signal.  I tried many settings, but nothing seemed to work.  I thought that perhaps the rtty would decode to a ciphertext that I would have to decode with something else, but that went nowhere.  Finally, I asked some questions to the challenge author, who confirmed the message would result in cleartext.  That focused my attempts, and I was able to see parts of words with certain settings.  Using the minimodem program on a Linux virtual machine, I was able to alter the baud rate by small increments.  These small changes made different letters appear more clearly, and eventually, I was able to tease our parts of the message.  Most importantly, I clearly saw r7=FLOWER.  That let me know that the message had the codes for each of the four touch screens.  Through trial and error and some educated guessing, I got the four codes: CONTRA, FLOWER, NITRO, and FROGGER.  That first password also gave me an idea of what I had to do next.

The rooms were arranged like a Nintendo pad.  I pushed the buttons in the order of the famous Konami code: N, N, S, S, W, E, W, E

The green button in the middle then led to the final room (instead of a painful death, as it did every other time).

The final challenge presented a laptop logged into a bash prompt.  Most normal Linux commands resulted in “command not found”, but a few things worked.

First, I was able to list the current directory and see that there was a Python file.  Trying to run it resulted in a joke, claiming four pythons slithered out of the wall panels.  Thankfully, it did not kill you and make you start over.

I was able to see that contents of the python file with the ‘cat’ command.  The script would generate an encoded string based on three variables, the last variable would depend on the current time every 30 seconds.

The variables had been erased after the last time it was run (according to the history, which also showed the server to connect to when you have the correct password)

Based on the variable names and some quick Google searching, I discovered that the variables (firsthacker, rats, year) were based on Nevil Maskelyne, who famously interrupted Marconi’s demonstration of the telegraph in 1903.  The year was clearly meant to be 1903, and “RATS” was the initial uninvited message Maskelyne sent to Marconi’s telegraph.  The rats variable was mapped to the variable “ditdah” in the function, which indicated we needed to write it out in morse code (.-. .- – …) .

With the variable populated, the last thing to do is synchronize the time between the server and my machine where I could generate the password.  I hardcoded a time that was a little ahead of the reported time from running the ‘date’ command on the laptop.  The passwords I received had some characters which appeared to be erroneous or invalid.  I kept trying different things but (with some assistance from @Ben0xA) I realized that I had to just go ahead and enter those bad characters.  It worked!

This was a fun — occasionally infuriating — but ultimately satisfying challenge.

 

 

Latest NSA leak news.

I’ve mostly held my tongue on the entire Edward Snowden issue.  I believe the truth of the situation is very nuanced, and far too many are quick to label him either a hero or a traitor.

However, the latest wrinkle in the story gave me something to say:

Your should NEVER give out your password to an IT administrator (or anyone else, for that matter).  Any systems admin who says they need it to perform any function is either lying or not properly trained to do their job.

A user’s password is supposed to uniquely identify them, as no other person should possess that knowledge.  When a password is shared, it breaks authentication.  In some cases this doesn’t cause major security issues, for example,  your buddy letting you use his Netflix account (Though security isn’t so much a problem here, the content providers will not be happy about it).

However, if you are an employee of a government or corporation, and you have access to sensitive material…

DO NOT GIVE THAT LOGIN TO ANYBODY.

The failure here is in user training.  Since the employees who gave out their information have been relieved of their positions, I can only assume they did receive training and signed some sort of user agreement indicating that they understood their responsibilities in regards to data security.  Clearly though, the training was not effective.
Hopefully this will act as a learning experience to improve user training in the future.

New Poshsec Functions!

Well, it’s been almost a month since the PoshSec Framework was announced, and I’ve been working on integrating some ideas into it.  I’ve finally got something up which I’m pretty happy with.

It’s an IIS log monitor in Powershell.

The monitor function itself runs within the PoshSec Framework, leveraging the built-in alerts.  When you execute Start-SecIISMonitor you can specify an IP address and a filter to isolate which http events you want alerts on.  Here’s a simple example where I am isolating a hit on any .PNG files (I’d do something more interesting if my test IIS server had anything beyond the Microsoft default page on it)iismon

 

The tab at the bottom showing “Active Scripts(1)” shows that the monitor is still running.  It has a configurable polling frequency so that it periodically checks the latest records of the log file for anything new that matches the given parameters.

At this point it just generates alerts, but future iterations on this can add functions that automatically adjust firewall settings due to certain traffic patterns.  For example, one idea I had was to create a fake page, like a honeypot.  The IIS monitor function can detect any hits to that page, then blacklist the visiting IP address.

Behind the monitoring function, there is another function which can also be utilized in new ways.  The Get-SecIISLog function parses an IIS log file, and outputs an object.  Each piece of the http record is separately addressable through PowerShell, so a forensics investigation could isolate certain IP addresses, URLS, user agent strings, or any combination of attributes.  And, since it outputs into the pipeline, those investigations could have the output formatted and sorted for a final report.

I’m glad to be a part of this project, and look forward to what we can achieve with it.

 

Major Poshsec update.

I haven’t had the time to post for quite a while now (just moved into a new house), but I’ve finally got both the time and a fantastic reason to post.

The Poshsec project that I have mentioned before just got a major facelift thanks to Ben0xA. By integrating some ideas he was working on with the goals of Poshsec, we now have the Poshsec Framework.

The Poshsec Framework is a customizable GUI tool which can be equipped with any desired Powershell scripts or modules. This extensibility makes it a very powerful tool, and though it’s designed as a defensive monitoring platform, it can easily be adapted into a pen-testing platform or administration center.

I’m excited by the endless possibilities afforded by this structure. I’ll be contributing to it as much as possible, and I’ve already got a few ideas to work on implementing.

Security Fail: Hollywood edition

I went out to the movies for the first time in quite a while (difficult to find the time with two little ones)
We saw Olympus has Fallen at a second run theater ($2 tickets FTW).

I enjoyed the movie, but couldn’t help but notice some glaring failures of security. Of course, without those failures you’d have a pretty boring movie, but I’m going to break down where things went wrong anyway.

There might be some spoilers ahead, so feel free to skip reading if you plan on seeing the movie.

The entire plot wouldn’t go very far without two key failures. Firstly, the terrorist attack begins with an aerial attack on Washington DC. Rightly, the intrusion into restricted airspace is engaged by the Air Force. Now, I’m not familiar with specific USAF protocols, but it seems to me that you should send more than two jets to confront an unknown aircraft. Also, you would probably want your weapons pointed at them, rather than the other way around.
After that, the White House goes into lockdown, and critically, the president ignores protocol and takes the visiting prime minister and his security team into the secure bunker. It’s one thing to admit a known dignitary, but to allow his entire armed security team along is unnecessarily risky.

Later on, we see a secret service agent who was formerly assigned to the White House easily entering access codes for various systems. Those codes should have all been invalidated the moment the agent was transferred out of the White House. Always revoke credentials from users that no longer need them for their duties.

Finally, I was baffled by the fact that a code for a super secret project was able to be cracked by the terrorists. Sure, they had an explanation on why they could do it (only had to crack one of three passwords), but each of those three should not have been breakable by any means. I’m assuming the terrorists were able to access the password hashes since they had direct access to the system. However, a project of this magnitude would have the passwords hashed with the strongest algorithms possible. It should take days to crack with even the most advanced technology available.

Maybe I can write off my next trip to the movies as a training course.

Another BSides CTF Write-up

There have been a trickle of challenges coming out between the BSides Chicago and BSides Detroit events.  This last one was pretty fun, and I got to write some Powershell to solve it.

The challenge title was Flipping Out.

We get lots of references to the so-bad-it’s-good movie, Hackers.  I saw it in the theater and gave it the MST3K treatment with my friends.

The only thing we get to start is a jpg image.  But it seems to take up more disk space than an image this size should….

Scanning through the binary data, I found a “PK” header, indicating a zip file is there.  I fired up HxD, my hex editor of choice, and separated out the bytes.

Now I had a zip file which I could open to find image1.jpg, but it does not contain the flag

image1

Again, the file size is suspect.  The zip file is 187kb, but the single file inside shows a packed size of 95kb.  So I know there’s more data that is not being shown yet.  After investigating a few different paths I ended up reading the specification for the zip file format to try and tease out what was going on in the file.

Then the obvious thing jumped out.

I had seen the binary of the zip ended in ‘KP’, but at that point I assumed it was a normal terminator for the zip file.

It’s not.  Then the title of the challenge made perfect sense, and I knew what to do.

I found the midpoint of the file where the first zip ended, and the end of the second one was reversed onto it, cut out the reversed bytes and saved them to a file.  Now I just had to reverse the whole thing and since I’ve been working with Powershell, I decided to stick with that.

[byte[]]$byte = Get-Content hackerz-rev -Encoding byte;
[byte[]]$flip = New-Object byte[] $byte.Length;
$j=0;
for($i=($byte.length-1);$i -gt 0; $i--){
$flip[$j] = $byte[$i]; $j++;
};
[System.IO.File]::WriteAllBytes('C:\Users\rcassara\Desktop\files\bsidesctf\flipped.zip', $flip);

I had saved my backwards bytes to ‘hackerz-rev’, so in the first line, I read that into a byte array.  Then I created a second array of equal length, and simply copied each byte over in reverse order.

The final line writes out the bytes to a zip file.

Opening the new zip I saw what I expected, a single file named gpj.egami (the challenge writer reversed the name so the mirror-image wouldn’t be as obvious when looking at strings in the binary).  Opened the file as a jpg and…

image1_6

 

sw1tch posted his method of solving this, which involves no coding at all (unless you consider writing RegEx coding)

First con experience plus CTF write-up

Updating this blog has taken a backseat to real life. After a crazy couple of months of searching, it looks like we’ll be moving into our new home in June.  Sometime after that I might be able to settle into a less chaotic routine.

This past weekend I attended my first security conference, BSides Chicago.

A contingent from Michigan all got on the same train in. We dubbed it Hackers on a Train.  Each person had to give a short presentation on the train ride, so I put together a short slideshow based on a bit of coding I’d been working on recently.  I might put it up here when it’s in a more polished state, but for now only those who were present know my secrets….

BSides Chicago was a fantastic experience with a lot of interesting talks, great people, and a Capture the Flag (CTF) event.  The efforts of the organizers (@securitymoey and @elizmmartin)  and volunteers (too many to name) really showed.  I’ve participated in a few CTFs with #misec, but this was the first time I got to work on one at the event hosting it.

This time around, we couldn’t field much of a team with #misec, since many of our usual CTF participants contributed challenges towards the cross-city BSides Chicago / BSides Detroit CTF. Luckily for my final scoring, I did have one teammate, Zandi, who used his lockpicking skills to get the flags tied to the Toool booth.

The computer based challenges were all on me. Here’s my write-up for one of the more interesting ones that I solved.

Phone Home Write-up:

The premise of this challenge was that a piece of malware was discovered attached to a Word document, and we needed to discover where that malware was communicating back to.
The first hurdle was that my antivirus killed the document upon download. Blindly trusting the CTF organizers, I disabled the antivirus and got the file.
I opened the file in Notepad++ to see what dangers lay inside.

notepad

click to embiggen

So, there’s a huge block in there that looks like a binary of a separate file.  Staying in Notepad++, I copied the block to a new file, stripped out the ‘&H’ characters, and was left with the hexadecimal representation of a file.  The first two bytes were 4D 5A.  Coincidentally, I had just seen @jwgoerlich’s excellent talk where that same header was pointed out  as the indicator of a Windows executable file.

So next, I fired up a hex editor (HxD), and pasted in the bytes.  Then I could save it out as an EXE. In case there was any checks for it somewhere, I gave it the same randomized name that was expected from the Word macros that were meant to trigger the code installation (AeAIJGcsSqmKdm.exe).  I tried running it and it showed up as a background process.

This is where I hit a wall.  A hint was given out that the key was going to be an IP address, but I had blanked on what to do next.  I wasted some time looking at the macro code inside the original Word document, and switched gears to work on some other challenges.  Later, while walking through Chicago with some #misec colleagues, it hit me.  In retrospect it should have been obvious, but I needed to check my outgoing TCP connections while running that executable!

When I got back to my computer  I launched the executable again, and then ran:
netstat -naob

The ‘b’ switch in netstat (on Windows only) identifies the executable attached to the network connection, so I could easily see my answer.

netstat

Flag: Captured!

I entered 192.168.75.128 and completed the challenge!

Posting again with a new focus

It’s been a while since I’ve had the energy or drive to update the blog. There’s been a lot going on between work, home and personal projects.

I’ve decided that I want to try and shift the focus of my blog posts. Instead of mostly reposting interesting news with my own commentary added, I’d like to produce more original content. I’ll start by updating one of my few posts with original content, my baselining code.

In that post I pointed out:

There are probably much more efficient ways of doing this

I’ve been learning PowerShell more thoroughly through a study group (#psstudy) led by @mwjcomputing (aka PowerShell Yoda), and yes, there is a far more efficient way to get system baselines and run regular comparisons.

To get the baselines:
Get-Service | Where-Object {$_.Status -eq 'Running'}`
| Export-Clixml C:\svcs.xml

Get-Process | Export-Clixml C:\procs.xml

The first line retrieves all running services and exports them to an xml format used by PowerShell.
The second line does the same for running processes.

Once the baseline xml files are established, a scheduled task can be created to run a line of PowerShell to compare the current state to the baseline.

Compare-Object -ReferenceObject `
(Import-Clixml C:\svcs.xml) -DifferenceObject `
(Get-Service | Where-Object {$_.Status -eq 'Running'} ) `
-property name

Compare-Object -ReferenceObject (Import-Clixml C:\procs.xml)`
-DifferenceObject (Get-Process) -property name

The Compare-Object cmdlet (which can also be accessed with the alias diff for anyone coming from the Linux world) takes the baseline in through the Import-Clixml cmdlet. Then it gets the current list of services or processes, and shows if there is a name missing from one side or the other. The output looks something like this:


name SideIndicator
---- -------------
taskeng <=

The SideIndicator will be ‘<=’ if the something in the baseline is missing and it will show ‘=>’ if the system is running a new service or process not in the baseline. We can take that output and format it to be more readable.

Compare-Object -ReferenceObject (Import-Clixml C:\procs.xml) `
-DifferenceObject (Get-Process) -property name | Format-List `
@{n=''; e={ `
if ($_.SideIndicator -eq '=>') {$_.name + ' is not in baseline' };`
if ($_.sideIndicator -eq '<='){ $_.name + ' is not running'} }}

Now we have a concise list showing what is different from the baseline which can be output to a text file, emailed, or even put up on a webpage.

*Apologies for the code readability. The width constraints required backticks, I tried to place them as logically as I could.

SANS Holiday Hack Answers

Now that the submission deadline has passed, I can share my answers to the SANS Holiday Hack that I wrote about last month.

Since there are awards for both best technical answer and best creative answer, I chose to go with creative.  I still have a lot to learn in my budding InfoSec career, so I assumed I’d have no shot at writing up the best technical explanation.  As a father of two young children, I’ve read a ton of Christmas stories recently so it seemed like a no-brainer to try and structure my answers like the holiday fairy tale the challenge was based on.

The questions were:

  1. Where did you find the remainder of Snow Miser’s Zone 1 URL?
  2. What is the key you used with steghide to extract Snow Miser’s Zone 2 URL? Where did you find the key?
  3. On Snow Miser’s Zone 3 page, why is using the same key multiple times a bad idea?
  4. What was the coding error in Zone 4 of Heat Miser’s site that allowed you to find the URL for Zone 5?
  5. How did you manipulate the cookie to get to Zone 5 of Heat Miser’s Control System?
  6. Please briefly describe the process, steps, and tools you used to conquer each zone, including all of the flags hidden in the comments of each zone page.

My answers (I’ve omitted the flags from question 6):

Question  1: 

Snow Miser was careless with social media, a textbook case for Wikipedia.

A public tweet, his desk was shown.  But in the pic his cover’s blown.

“The URL’s private!”, He may think….

But it’s inverted in his drink.

Question 2:

He was a fan of 90s white-boy rap, (though music lovers knew it was crap)

“IceIceBaby!” was the secret key, but he carelessly left it plain to see.

Just look in the Jay Pee Gee’s properties

To defeat his steganography.

Question 3:

The URL for snow-zone four was encrypted with a simple XOR

But the miser’s mistake, as you can see, was reusing a single key

“Zone four’s old string!! ”, he must have cursed

Since the bitwise function can be reversed.

Question 4:

Heat Miser thinks he’s awfully sneaky, but his security model’s pretty leaky.

He thought zone four was locked down tight, but the redirect was not done right.

The location switch function wasn’t run until AFTER the page loading was done.

So anyone who inspects their traffic, can see the info in the packets.

Question 5:

A cookie protected the final site, much to a casual hacker’s delight

The label was clear, a UID.  But how to guess the value correctly?

A ha! It’s just a simple hash, cracked as 1001 in a dash.

A common guess for the administrator…MD5 of 1 and see you later!

Question 6:

Christmas was in trouble again this year, but not from Martians or sickly reindeer

Santa was not quite feeling his best, he wanted to stay in and get some rest

But Mrs. Claus devised a way to ensure a normal Christmas Day.

It’s complicated to put it concisely, but there were two brothers not acting nicely.

They each intended to hack the other, both confident they were the smarter brother.

But now in trouble with their mama, there’s bound to be some Christmas drama.

So now I guess it’s up to me to get a present under every tree.

Hacking Snow Miser:

Zone zero, my journey had begun, seeking a clue for zone number one

Fortunately the address I need was right in snow miser’s twitter feed.

It seems that he carelessly acted, posting a picture that should have been redacted.

With the completed URL in tow, onward to zone one I go!

Here I found a little clue to break into zone number two.

The images on the page are the key…must be steganography!

To unlock the secret with Steghide, a password I must now provide,

Under the mat, look for the key…in this case, check the properties

The comments field, in plaintext, I find the words that I’ll use next

Message decoded, I’m in zone two, what now do I have to do?

Back to Twitter once again, Heat Miser is now my friend

Luckily he happened to find a phone image his brother left behind

With that in hand, it’s easy to see the address for Snow Zone number three.

Now Snow Miser sets the score to break into snow zone number four

The address is given, but it’s encrypted.  Left a critical error, so the key could be lifted.

He showed a different text and the cipher produced, and then the same key he simply reused

Getting the key was hardly a chore, he did nothing more than a bitwise XOR.

Key in hand, the cipher decoded, zone number four was finally loaded.

The final zone was secured a bit wiser, I turned once more to my friend Heat Miser

He Tweeted a tip about a recent excursion, wherein Tim Medin exploits Subversion.

Snow Miser’s directories weren’t secured, and so his change database was quickly procured.

Following along with the directions from Tim, I got to the source code quick as the wind.

Now I could see how the zone had been locked, the hash generated was based off the clock.

Just set the right password at the right time, and suddenly zone five is totally mine.

Now I’ve achieved half my goal, I can disable the chillers at the North Pole

But to complete the task at hand, I’ll start turning the heat down in southern lands.

Hacking Heat Miser:

Now at the site of the hot-headed son, he gave out a clue to unlock heat zone one

It seems quite apparent that mister Heat Miser was having some trouble with Internet spiders

I just simply typed in robots dot text…can you guess what transpired next?

The address that I sought was there in plain sight!  (and I thought that this hack might have taken all night)

From zone one to zone two didn’t get any harder, it seemed that Heat Miser was not getting smarter

True, in a comment the link wouldn’t show, but the HTML source still has it in tow

Right-click, show source…this security’s a joke!  He could get hacked by a Jersey Shore jamoke.

The security problems seem to repeat, with another case of a careless tweet

Heat Miser’s screenshot brimmed with audacity, but he neglected to check on the window opacity.

Though it was blurry and borderline legible, I was able to tease out the right hexadecimal.

Now from zone three it was hardly a chore, since heat miser gives out the link to zone four.

His confidence shows with this info supplied, since a click on the link leads to “Access Denied”

He was mistaken to be quite so cocky, since his poor execution was defeated by proxy.

Loading up Fiddler, my traffic inspector, I found out that he was a bad redirector

The redirect function did not have an exit(), so I still got the data he thought he’d protected

The URL for the last zone was now out, I would surely save Christmas, I hadn’t a doubt.

Once again I saw Heat Miser’s page redirect me, unfortunately now he had done it correctly

Still looking at headers through Fiddler’s display, a cookie was set…that must be the way!

The value I saw was a UID string, but I hadn’t a clue what to do with the thing

Then…Inspiration! It hit like a flash.  This length looks familiar, I think it’s a hash!

To an MD5 cracker I headed with glee, one thousand one was the decrypted UID.

I assumed that the admin ID would be one, I was moments away from my task being done!

Now with the hash I thought would work best, I went back to Fiddler and changed my request

I had saved Christmas! I knew it was true! It returned two hundred and not three oh two.

And so, dear reader you might have one last query.  Who am I, the hacker who kept Christmas cheery?

I’ll give you a hint, though you still might not guess…I can often be seen in a red and white dress.

Did you guess who I am? It’s me, Mrs. Claus!  I can see that the answer has given you pause.

See, the Misers were prone to dropping the ball, so I picked up my phone and made a quick call

I signed up for SANS training classes from home (they never have anything closer than Nome)

With vLive instruction I now had the tools to break into both sites and embarrass those fools.

So now as I help Santa load up his sack,  “Merry Christmas to all, and to all a good hack!”

It’s official, Samsung is the new Adobe

I keep thinking “this will be the last time I post about a big security hole in a Samsung product”, but Samsung just can’t seem to stop giving me material.

Here’s two more for the pile:

First, the appetizer:  Samsung Smart TVs can be remotely exploited

This isn’t an Earth-shattering security hole, since there’s not a lot of valuable data on most Internet connected TVs, however it is possible that this could be used against a TV installed in a company’s waiting area.  Then imagine the attacker is able to install a bit of code that lets him pivot from the TV to probe the company’s network for other vulnerabilities.  Did the IT department sequester the TV to a safe subnet, or is it just plugged in with everything else?

Now, the main course:

Lax security on Samsung’s mobile processor allows for complete memory access

This one’s really bad.  The memory location within the kernel has basically no protection on it, so a maliciously crafted app can completely take over the phone or tablet.  Details are still emerging at this point, but if the reports are accurate there needs to be a patch issued for this immediately.  Of course being an Android issue, the patch will take anywhere between two and eight months to be approved for release by the carriers.

I hadn’t planned on getting any Samsung devices in the near future, but now I’m certain to avoid them.