Palm Pre WebOS version <= 1.1 Floating Point Crash

I. Description

The Palm Pre WebOS version <=1.1 suffers from a floating point exception crash when attempting to view a specially crafted web page. This vulnerability has been addressed in the latest patch from Palm and all users are recommended to update to WebOS version 1.2+.

II. Impact

If a user is sent to a malicious web page that contains specially crafted data, the LunaSysMgr process will crash, causing the phone to simulate a reboot. The crash itself is a floating point error that crashes the "LunaSysMgr" process and forces the phone to restart the process, simulating a reboot of the system. At the time of the discovery, the greatest risk to the system was a crash/denial of service vulnerability.

The crash does not occur when viewing the malicious web page while in landscape mode.


III Proof of Concept

The Palm Pre WebOS will crash upon opening a web page that contains 50,280 bytes of data and then attempts to refresh the page. Upon viewing the malicious web page the phone will "crash".

The following code will trigger the crash

"<meta http-equiv="refresh" content="1">AAAAA..." using 50280 or more characters after the refresh.

IV. About

This vulnerability was discovered by Townsend Ladd Harris

Vulnerability details will be posted to: http://tlhsecurity.blogspot.com/ upon release of a patch.

Mailing Lists post the vulnerabilities!

After a few days, both security focus and secunia published the vulnerabilities.

Links:

Bugtraq: Here
Secunia: Here

I have not submitted the floating point crash in the Web Browser to them yet, but apparently Secunia folks have read my blog and know an "unspecified" issues exists, so they made a placeholder.

Oddly, both Secunia and Securityfocus are both showing vulnerabilities in WebOS <=1.2.1 with unspecified details disclosed by the vendor, overall they claim something is wrong with it but give zero details. Why are these not merged with my issues or vice versa :/

Floating point details to come in next few days.

Thanks

-Ladd

Palm Pre WebOS <=1.1 Remote File Access Vulnerability

Below are the details of the remote file access vulnerability I have released to various vulnerability mailing lists. To view a flash video that demonstrates how to exploit this bug please check out: Click To Watch

The folks over at Precentral.net did a nice write up on the issue as well:

http://www.precentral.net/update-12-fixed-serious-file-security-issue

I. Description

The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on the mobile device.

Palm has patched this vulnerability and all users are recommended to upgrade to WebOS version 1.2+.

Palm WebOS 1.2 patch notes can be found here:
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#12

II. Impact

A specially crafted email can access any file on the Palm Pre WebOS version <=1.1 mobile device and send it to a web site of the attacker's choice just by viewing the email.

III. Details

The Palm Pre WebOS 1.1 and lower will parse and execute JavaScript contained in an email it receives. Exploiting this vulnerability allows an attacker to read/extract any file and post it to a remote website the attacker controls.

One particular file of interest is the "PalmDatabase.db3" file. Having this database file will give an attacker emails, email addresses, contact list information including names, phone numbers, etc. Limitations with binary data have been identified, however viewing binary data such as database files is still simple.

Proof of Concept

Creating an email with the following JavaScript in it will automatically upload a file of the attacker's choice to a remote web server:



To view a Flash demo of this exploit in action:

http://tlhsecurity.com/videos/FA.html

IV. About

This vulnerability was discovered by Townsend Ladd Harris

Special Thanks to :
- Chris Rohlf - Blog: http://em386.blogspot.com/
- Destinal #webos-internals (irc.freenode.com)
- Webos-Internals group #webos-internals(irc.freenode.com) Website: Here
- Bryce Kerley
- Dan Czarnecki
- Jeremy Rasmussen

Palm Pre WebOS <=1.1 Remote File Access Vulnerability Video

Once everyone is patched I will release the details on two vulnerabilities in the Palm Pre WebOS <=1.1

For now enjoy this FLASH Movie I made of the vulnerability
Click Here to Watch!

I did make the video myself and adobe was not used =p


Enjoy

-Ladd

WebOS 1.2 and Palm Patches my stuff

Palm has patched my latest critical vulnerability (as well as others) in the Palm Pre WebOS that allows for remote file access and exfiltration. I will publish details on this once everyone is at an adequate patch level.

WebOS 1.2 Patch notes : Here

See ya in a bit and I will have a video for everyone.

-Ladd

Presented at Sandia Malware Conference!!

Just got done presenting some mobile security research I have been performing as of late and it seems to have went well. I got a chance to meet some great industry/government folks in the area of malware analysis and reverse engineering.

Have not had much to post on the Pre since Palm has yet to release 1.2 (taking forever). As soon as they publish a version I will get back at, was on vacation and work took me away for a few weeks.

Promise some new bug info when 1.2 is released as I am ready for my disclosures and the video I have =p


-Ladd

No update for WebOS yet.

I really thought today would be the new update for Palm's WebOS, does not seem so. It is still early, however since Canada's Bell Pre is running WebOS version 1.1, I am skeptical of a new update today (though we did get an update the day the phone was released on Sprint).

As a side note, I had a chance to meet a gentlemen named Chris Clark (from http://www.isecpartners.com/) who is also doing some Palm Pre research. Very nice guy with some very interesting knowledge of the phone already. Hoping at some point we can team up on some work in the area. Thanks for the conversation Chris!

Ever vigilant for a new release...


-Ladd

SMS injection

I can now inject arbitrary data into SMS fields that cause some fun rendering issues when viewing them, however nothing that is extremely exciting. I need to take a step back and see how I can interact with Mojo from an app standpoint and will continue to tear apart WebOS now that some of the low hanging fruit has been released. Be patient though, a very exciting vulnerability disclosure may get released by me, hopefully the patch is going to get released this week (rumor only).

I currently have two vulns for versions WebOS 1.1 and lower that have yet to be published and I have created a movie demonstrating each of them and. They be released whenever palm puts out the patch. Palm is very odd in not letting me know as to when the patch is going to be released so I can put out my advisories.....

-Ladd

Vacation+

Sorry for not posting, been on vacation in New Jersey. I have been working on a slightly bleh SMS bug for the Pre, nothing to write home about yet. Spoke with Palm about releasing my exploit video and it was explained to me that it would be best to wait till it is patched, though a date was not given as to when it will be patched.

On a side note, I will be speaking at the Sandia Malware conference on September 21-25th on the Palm Pre and it should be fun =p

Going to get back into research this week, maybe we can find something new.

-Ladd

Do you have an LG ENV 2 Cell phone? Hope Not

I was trying to play a prank on my buddy Chris Sandulow using my new SMS spoofer and instead of playing a funny joke I actually crashed his phone. If you own a LG ENV 2 on Verizon and someone sends you an specially crafted HTML encoded email to a specific email2SMS gateway your phone will crash without any interaction from you =p Having said that, if your phone is plugged in at the time you receive the sms, it will turn it off.

Thanks Chris for being a guinea pig =p

I am holding back a little key to all of this, but not much :-)

If you ever have any interest in my research contact me at PalmPreHacker [at ]gmail.com

Talked to Palm

I spoke to Palm's security Webos big guy and was told that the two vulnerabilities, a DoS based on the browser and a pretty big one that lets me have access to things i shouldn't from remote, were both confirmed. I am told the latter has mitigating factors, but I really have not seen any. I have asked them a few questions on mitigating factors, I just have not received an answer back. Palm's security guy is very responsive and great to deal with so I am sure he will let me know.


As a side note, I started playing with SMS and found a nice "feature" using common email2SMS gateways that allow me to send text messages anonymously, through code, so that the receivers do not know where it came from (namely FROM emails addresses). This isn't huge, but it can be fun to play with your friends =p

-Ladd

Secunia updates, well sort of

So I was wondering when Secunia was going to update and show my new vulnerability so I went looking on the site. Turns out they did not give me a new advisory for a completely different vulnerability and instead merged it into the old one I posted. I am disappointed in that :(

Link is here: Secunia

Securityfocus.com (Bugtraq) did not even let it hit the vulnerabilities list, ignored the 2nd vulnerability in the disclosure, now this....

Not feeling the love.

-Ladd

Bugtraq Posts Advisory

Bugtraq posted my advisory today. You can check it out here: http://www.securityfocus.com/bid/35932/info, odd they didnt include the calender bugs....

-Ladd

Palm Pre WebOS 1.0.4 Remote execution of arbitrary HTML code vulnerability

Back from Defcon and I submitted this vulnerability to the usual lists. Enjoy, I have more =p

I. Description

The Palm Pre WebOS version 1.0.4 (previous version as well) allows a remote attacker to execute arbitrary HTML code on the phone via certain applications. The affected applications involve the native email application via the notifications system as well as the native calendar application.

The vendor has been contacted and a patch has been released:

WebOS 1.1 - Here

II. Impact

Email Notification System:

A remote attacker is able to construct a malicious email that will cause the Palm Pre WebOS to execute arbitrary HTML code if the notification system is enabled. Upon receiving a malicious email where the FROM field contains HTML code, the Palm Pre WebOS will issue a user a notification that an email has arrived and execute the HTML code of the attacker’s choice. This vulnerability does not require user interaction.

Calendar Application:

A remote attacker can create a malicious calendar event putting arbitrary HTML code inside the event/title field that can be executed without user interaction. To trigger this vulnerability, one of the following conditions must occur:

1. The victim Views the Calendar event and the malicious HTML will be executed.
2. The victim enables a reminder notice for the malicious calendar event, upon being notified of the reminder, the
malicious HTML code will be executed.
3. The calendar event triggers and the malicious HTML code will be executed.

In cases where calendar events can be sent to users without interaction/acceptance, the risk of this vulnerability is higher.

III. Proof of Concept

The following HTML code can be used to provide a proof of concept for each of the vulnerabilities listed in this advisory:

"Test <META http-equiv="refresh" content="1;URL=http://www.google.com">"

Thanks: My Wife and daughter (gave time to work =] ), Dan Czarnecki, Chris Rohlf, Jeremy Rasmussen

Defcon

At Defcon having a great time, seeing some nice talks on mobile devices and wish i could have presented. Palm responded rapidly confirming my latest issue that pretty much is a game over vuln =p. They are working on the total impact though....

-Ladd

WebOS 1.1 Vulnerability disclosure sent to Palm/ Off to Defcon!

I discovered what I believe to be a critical issue affecting WebOS 1.1 of the phone and submitted it to Palm. I have already received a response that it is being looked into, so hang on to your seats...

PS: I gave palm a POC that would involve connect back to my personal site and low and behold someone from Palm.com attempted to use my "toys" that would be accessible using the POC I gave them =p. Guess they are confirming it....

See you all at Defcon =p

-Ladd

Palm Sends me cool stuff and I have a potentially dangerous vulnerability

Palm sent me a touchstone and a shirt for the work I have been doing, it was nice of them. I have also found a new critical vulnerability, I will notify palm and I already have a nice proof of concept exploit for it =]. This new vuln affects WebOS 1.1.

FYI they have received my previous my DoS disclosure for 1.1 and was told it looked "legit" but no final confirmation yet.

Sorry for not posting lately, work plus family, plus research has kept me busy. Defcon, here I come!!!

-Ladd

Got my sendmail server up and New BUG!

Finally got my sendmail server up, started fuzzing the email client and found some very interesting things we can do with the Palm Pre. My friend Destinal (@ from #webos-internals crew on IRC freenode) is working with me to come up with some nifty attack vectors so we could have some cool stuff. Maybe in time for Defcon =p

Thanks to Jeremy Rasmussen for validating one of the attacks and letting me beat up his pre for a little...

-Ladd

Palm Updates 1.1/1.04 Release Notes and New vuln sent to Palm

Palm emailed me today to let me know that they have updated the release notes for 1.0.4 to include vulnerability details. They also updated the 1.1 notes to give credit to me for my discoveries =p

Link is here: Here

I also sent in a new advisory to Palm that is a bug that will crash the phone that affects version 1.1 of WebOS :)

You may see vulnerability details on the issues found in 1.0.4 before Defcon o.0

-Ladd

Bugtraq and Secunia Finally Posted

Bugtraq finally posted my 1.0.3 issues and Secunia has contact Palm to obtain more information, so great. I am currently writing up a new DoS for the Palm 1.1 WebOS that is nifty/simple and will be submitting it to them today.

After speaking with Palm they intend to update all the notes to provide details on each vulnerability that I found in 1.0.3 and 1.0.4 soon.

Secunia Link: Here
BugTraq Link: Here (of course they didnt provide many details here)

-Ladd

Update 1.1 and my critical vulnerability isnt mentioned

I came back from dinner and found that WebOS 1.1 came out and behold, the potentially critical vulnerability I found may not have been fixed and not mentioned in the release notes nor was any credit given as to who found it. I am sadly disappointed and hope my new vuln works on the 1.1 WebOS release.

Instead of fixing the critical issues they may have removed the notifications that allowed it to be exploited.

PS: New crash works on 1.1 and not sure how I am going to release it.

-Ladd

Palm Pre WebOs 1.0.3+ Memory Corruption Via Long Attacker Controlled URI

So the Palm Pre WebOS 1.0.3 suffers from an overly long URL Memory corruption vulnerability that causes the phone to "crash" (Denial of Service) that has the potential for arbitrary code execution. Original Patch notes for vulnerability:
Here

Clicking on a malicious URL that has a character length greater than or equal to 4063 characters causes the phone (the LunaSysMgr process) to "crash". This crash looks like a reboot however it is merely the LunaSysMgr service stopping and starting (via segfault). I did not research whether code execution was possible due to time constraints.

The attack vectors of this vulnerability/Crash can be via Email, AIM, SMS, or any application that when a user clicks the link will load the malicious URL.

1. Proof of concept

Create a Web link of say http://www.google.com/ . "A" x 4040 (total length needs to be equal to or greater than 4063 characters).

If you trust me go here: http://tinyurl.com/mbmnbh

Upon clicking this malicious link, LunaSysMgr will segfault and generate a "mini" corefile on the system. The minicore file from the crash is shown below:

"Cmd: LunaSysMgr
Pid: 1190
CrashedThread: 1545
Signal: 11
minicore2:
Process /usr/bin/LunaSysMgr (1190) received SIGSEGV(11).
Spawning gdb...
[Thread debugging using libthread_db enabled]
0x40dbf7a4 in strlen () from /lib/libc.so.6

========== STACKTRACE OUTPUT ==========

Dumping thread:
#0 0x40dbf7a4 in strlen () from /lib/libc.so.6
#1 0x48f7fffc in BrowserAdapter::msgTitleAndUrlChanged ()
from /usr/lib/BrowserPlugins/BrowserAdapter.so
#2 0x48f7db28 in BrowserClientBase::handleAsyncMessage ()"

As you can see, we made LunaSysMgr segfault and the phone "reboots" =p

The current version of 1.0.4 of WebOS suffers from the same type of crash using different URL sizes. Palm is aware and when I reported them I was told they are known issues, but stated I was not the one who identified first. Until they publish who did, I will not post any details (though I do have PoC's for two new crashes in 1.0.4), just wanted to say "yeah I already know about the new ones".

More Bugs to follow, just waiting on Palm and their patches =]

Thanks: Wife and daughter =p, Daniel Czarnecki, Chris Rohlf, Jeremy Rasmussen

-Ladd

1.0.4 and SDK 1.1 New Crash

Had some time last night to play with the new SDK emulator and well I found a nice new simple way to crash the phone that affects the current 1.0.4 and the 1.1 found on the SDK emulator. Once i put together a nice new fuzzer and get some more information on it I'll talk to Palm if it is good enough. Floating point exceptions are fun.

Wonder at what point Palm will either get mad at me or ask me to help them =p. I also wonder how deep this rabbit hole is....


-Ladd

SDK and 1.1

So, if the new version of the SDK is any inclination of how palm is doing with patching my reported security issues, then we are in good shape. From preliminary testing, the original bug from 1.0.3 seems good and the two (no credit on these i guess) that I had reported in 1.0.4 also seem to be fixed. Now if I can only get Palm to be ok with letting me talk to the details of them while coordinating my disclosure of at the time of the patch release.

With all that said, nothing from my latest advisory seems fixed, though there are some minor enhancements to make spotting the issues a little easier.

-Ladd

One Bug to rule them All (Palm Pre is affected)

I received an email from my friend Chris Rohlf (http://em386.blogspot.com) talking about a new bug found by: Thierry Zoller, and it involves pretty much most browsers. I thought, well what if the Pre is vulnerable and IT IS! After using a test script posted by the person who discovered the vulnerability (report found Here) it caused my phone to grow real sluggish and then put the Pre into a reboot loop that ultimately worked it self out. This is pretty nasty.

Hope Palm is on top of this one.

-Ladd

Palm confirms my vulnerabilities

I received an email from Palm today (from Brian) and was informed that my findings are valid and were able to be replicated. It was explained to me that Palm is actively working on patching the issues and we may see them giving out some details on the vulnerabilities soon (don't hold me or Palm to this =p ).

That said, the 3 new security issues that I just found are valid, the two new issues from 1.0.4 were valid (though i believe found by internal Palm testing so no credit on these) and my original vulnerability was also valid. To that I must say, this is exciting.

Sadly no details, I am again waiting for patches and Palm to release details on each issue at their own pace.

Palm is responding very quickly and that is great for both the security world and anyone using a Palm Pre.

-Ladd

I sent Palm my new vulnerability disclosure

So I finally sent out my new vulnerability disclosure to Palm today. Sadly Google mangled my email so I had to resend it in Microsoft Word format(rtf), much apologies to Palm (if they are reading) for the double send, though its a good read. I wanted to thank Dan Czarnecki and "destinal" (from #webos-internals irc.freenode.net) for helping me validate my findings.

PS - HTML redirection can be fun

http://search.sprint.com/inquiraapp/ui.jsp?ui_mode=answer&prior_transaction_id=386761&iq_action=4&answer_id=16777217&turl=http%3A%2F%2Fimages2.fanpop.com/images/photos/4600000/smiley-face-smiley-4604940-313-317.jpg =p

New advisory

Hey all, sorry I have been quiet, but I have a new advisory I am trying to get out and I am on travel for the week. So check back in, in like a day and I will have more info. This will be pretty good if all my tests are true, think injection attacks :)

-Ladd

Media Fuzzing

I started putting together some media fuzzers to test the streaming capabilities of the phone. To my surprise streaming certain types of music doesn't actually work, MP3's tested. I tried using m3u files, embedding m3u files and really was only ever able to get one track to work at a time before the media player just stopped working. Again, since this was me and I usually miss the simple things, I asked some people in #webos-internals and they seemed to have the same issues.


So I can't test certain portions of the phone because of old vulns I have that still need to be patched and now I cant test media streaming, guess ill move on to something else (with remote capabilities), what I am not sure at the moment.

-Ladd

4th of July and more fun =p

Last night, i decided to have an easy night and play with one of the minor (at the time) bugs I initially sent to PALM. Well after doing some fun things (and stupid)to exploit it, I had to re-flash my phone and manually edit some files to get my phone back up to speed. So roughly an hour+ later and help from my friends in #webos-internals (special thanks to mdklein) I was able to get my phone back to normal.

What would be really nice is if Palm sent me an SDK (I did sign up) so I don't keep breaking my phone =]

This sounds more scary than it is since im not allowed to provide details, but messing with contact lists can get hairy if you consider the threats that vcards and various other contact lists that Palm's WebOS doesn't ASK you to add to your phone. WebOS just downloads all your contacts from say Exchange, Gmail, whatever and adds them to your phone.

Special Thanks to Dan Czarnecki (coworker at Sypris Electronics and whom I found the first bug with in the room =p) who thought of vcards =p as a medium of transport.

I am going to send an update to Palm today and let them know the findings and again SADLY wait to report it, because I was specifically asked to wait until it was fixed to release information.

Tricking users into accepting bad vcards or other contact information links and the like is always a fun day =)

Happy start to your weekend =]

-Ladd

Palm Contacts Me

So, Palm contacted me back and informed me that the two vulnerabilities I had found were "known issues" and already fixed in an/the upcoming patch. What is interesting about this is I only reported one bug to Palm and I received an email stating that "these" were already fixed, so I guess he read my blog update last night when I first reported two new bugs =p, Hi Brian!!. Just to clarify, I will not usually quote email traffic/dialog on vulnerabilities I have, but that was interesting.

I must say, that I had spent 1 hour (since the update crashed my Pre) the night 1.0.4 WebOS update was released and figured out that a new bug existed. I then reported the new bug to palm the next day after lunch (EST). I then spent 2-3 hours last night deciphering what the bug meant and narrowing its scope enough to provide a very accurate way to reproduce it. So I guess I was surprised to be told that it had already been fixed.

Upon further review last night, it seems my original bug was not "completely" fixed and I will not be able to release any information on it as it directly relates to the new bugs that I reported. Since Palm is fixing my new bugs (no credit on these) in an upcoming release I will hold off information on them as well.

Back to Fuzzing =p

-Ladd

New Bug isolated

So after a long time fuzzing to figure out the new bug, turns out its two new bugs =p (probably from the same code though). I am still waiting for Palm to get back to me on the new one, but I suspect they will want to fix this =]

-Ladd

Palm Patched my vulnerability in WebOS

Palm recently put out a new patch that addresses a vulnerability that I had discovered back on June 17th 2009 in the new WebOS for the Palm Pre. In my first disclosure to them, I included one critical issue and 2 minors issues.

After some quick testing last night, the critical issue was fixed, however I have a potential new one that I will be sending to them today once confirmed.

The Patch notice: (My name is halfway down under 1.0.4)
Palm Patch Notes

To show Palm's commitment to security, I wanted to show you the time line of events surrounding my disclosure and the rapid response.

6-16-2009 Critical Vulnerability discovered and validated
6-17-2009 Palm contacted to setup meeting/discussion
6-18-2009 New minor vulnerabilities found
6-21-2009 Palm contacts me, I send full disclosure to them
6-23-2009 Brian Hernacki contacts me and verifies critical issue states will be patched
6-29-2009 Vulnerability is patched

I have not included any specific details on the matter from WebOS 1.0.3 as I have been asked to wait until more people are completely patched.

That being said, when given the green light, I will provide more details on the matter.



-Ladd

About Me

Who:

My name is Townsend Ladd Harris and this blog will be dedicated to all my security related work. Ultimately I am doing this because my friends Chris Rohlf (http://em386.blogspot.com) and DanCzar keep nagging me to talk about my findings somewhere =p. I am currently employed at Sypris Electronics in Tampa.

What:

Currently my main focus of my research these days has been working on the new Palm phone that recently came out, which I will post on in a few.

If anyone wants to find me, I am usually in the #webos-internals IRC channel on freenode working with the rest of the Palm Pre homebrew community. I recommend checking out http://predev.wikidot.com and http://www.precentral.net/ if you want to help as well.