Wednesday, July 29, 2009

WebOS 1.1 Vulnerability disclosure sent to Palm/ Off to Defcon!

I discovered what I believe to be a critical issue affecting WebOS 1.1 of the phone and submitted it to Palm. I have already received a response that it is being looked into, so hang on to your seats...

PS: I gave palm a POC that would involve connect back to my personal site and low and behold someone from attempted to use my "toys" that would be accessible using the POC I gave them =p. Guess they are confirming it....

See you all at Defcon =p


Palm Sends me cool stuff and I have a potentially dangerous vulnerability

Palm sent me a touchstone and a shirt for the work I have been doing, it was nice of them. I have also found a new critical vulnerability, I will notify palm and I already have a nice proof of concept exploit for it =]. This new vuln affects WebOS 1.1.

FYI they have received my previous my DoS disclosure for 1.1 and was told it looked "legit" but no final confirmation yet.

Sorry for not posting lately, work plus family, plus research has kept me busy. Defcon, here I come!!!


Saturday, July 25, 2009

Got my sendmail server up and New BUG!

Finally got my sendmail server up, started fuzzing the email client and found some very interesting things we can do with the Palm Pre. My friend Destinal (@ from #webos-internals crew on IRC freenode) is working with me to come up with some nifty attack vectors so we could have some cool stuff. Maybe in time for Defcon =p

Thanks to Jeremy Rasmussen for validating one of the attacks and letting me beat up his pre for a little...


Friday, July 24, 2009

Palm Updates 1.1/1.04 Release Notes and New vuln sent to Palm

Palm emailed me today to let me know that they have updated the release notes for 1.0.4 to include vulnerability details. They also updated the 1.1 notes to give credit to me for my discoveries =p

Link is here: Here

I also sent in a new advisory to Palm that is a bug that will crash the phone that affects version 1.1 of WebOS :)

You may see vulnerability details on the issues found in 1.0.4 before Defcon o.0


Bugtraq and Secunia Finally Posted

Bugtraq finally posted my 1.0.3 issues and Secunia has contact Palm to obtain more information, so great. I am currently writing up a new DoS for the Palm 1.1 WebOS that is nifty/simple and will be submitting it to them today.

After speaking with Palm they intend to update all the notes to provide details on each vulnerability that I found in 1.0.3 and 1.0.4 soon.

Secunia Link: Here
BugTraq Link: Here (of course they didnt provide many details here)


Thursday, July 23, 2009

Update 1.1 and my critical vulnerability isnt mentioned

I came back from dinner and found that WebOS 1.1 came out and behold, the potentially critical vulnerability I found may not have been fixed and not mentioned in the release notes nor was any credit given as to who found it. I am sadly disappointed and hope my new vuln works on the 1.1 WebOS release.

Instead of fixing the critical issues they may have removed the notifications that allowed it to be exploited.

PS: New crash works on 1.1 and not sure how I am going to release it.


Monday, July 20, 2009

Palm Pre WebOs 1.0.3+ Memory Corruption Via Long Attacker Controlled URI

So the Palm Pre WebOS 1.0.3 suffers from an overly long URL Memory corruption vulnerability that causes the phone to "crash" (Denial of Service) that has the potential for arbitrary code execution. Original Patch notes for vulnerability:

Clicking on a malicious URL that has a character length greater than or equal to 4063 characters causes the phone (the LunaSysMgr process) to "crash". This crash looks like a reboot however it is merely the LunaSysMgr service stopping and starting (via segfault). I did not research whether code execution was possible due to time constraints.

The attack vectors of this vulnerability/Crash can be via Email, AIM, SMS, or any application that when a user clicks the link will load the malicious URL.

1. Proof of concept

Create a Web link of say . "A" x 4040 (total length needs to be equal to or greater than 4063 characters).

If you trust me go here:

Upon clicking this malicious link, LunaSysMgr will segfault and generate a "mini" corefile on the system. The minicore file from the crash is shown below:

"Cmd: LunaSysMgr
Pid: 1190
CrashedThread: 1545
Signal: 11
Process /usr/bin/LunaSysMgr (1190) received SIGSEGV(11).
Spawning gdb...
[Thread debugging using libthread_db enabled]
0x40dbf7a4 in strlen () from /lib/

========== STACKTRACE OUTPUT ==========

Dumping thread:
#0 0x40dbf7a4 in strlen () from /lib/
#1 0x48f7fffc in BrowserAdapter::msgTitleAndUrlChanged ()
from /usr/lib/BrowserPlugins/
#2 0x48f7db28 in BrowserClientBase::handleAsyncMessage ()"

As you can see, we made LunaSysMgr segfault and the phone "reboots" =p

The current version of 1.0.4 of WebOS suffers from the same type of crash using different URL sizes. Palm is aware and when I reported them I was told they are known issues, but stated I was not the one who identified first. Until they publish who did, I will not post any details (though I do have PoC's for two new crashes in 1.0.4), just wanted to say "yeah I already know about the new ones".

More Bugs to follow, just waiting on Palm and their patches =]

Thanks: Wife and daughter =p, Daniel Czarnecki, Chris Rohlf, Jeremy Rasmussen


Saturday, July 18, 2009

1.0.4 and SDK 1.1 New Crash

Had some time last night to play with the new SDK emulator and well I found a nice new simple way to crash the phone that affects the current 1.0.4 and the 1.1 found on the SDK emulator. Once i put together a nice new fuzzer and get some more information on it I'll talk to Palm if it is good enough. Floating point exceptions are fun.

Wonder at what point Palm will either get mad at me or ask me to help them =p. I also wonder how deep this rabbit hole is....


Friday, July 17, 2009

SDK and 1.1

So, if the new version of the SDK is any inclination of how palm is doing with patching my reported security issues, then we are in good shape. From preliminary testing, the original bug from 1.0.3 seems good and the two (no credit on these i guess) that I had reported in 1.0.4 also seem to be fixed. Now if I can only get Palm to be ok with letting me talk to the details of them while coordinating my disclosure of at the time of the patch release.

With all that said, nothing from my latest advisory seems fixed, though there are some minor enhancements to make spotting the issues a little easier.


Wednesday, July 15, 2009

One Bug to rule them All (Palm Pre is affected)

I received an email from my friend Chris Rohlf ( talking about a new bug found by: Thierry Zoller, and it involves pretty much most browsers. I thought, well what if the Pre is vulnerable and IT IS! After using a test script posted by the person who discovered the vulnerability (report found Here) it caused my phone to grow real sluggish and then put the Pre into a reboot loop that ultimately worked it self out. This is pretty nasty.

Hope Palm is on top of this one.


Friday, July 10, 2009

Palm confirms my vulnerabilities

I received an email from Palm today (from Brian) and was informed that my findings are valid and were able to be replicated. It was explained to me that Palm is actively working on patching the issues and we may see them giving out some details on the vulnerabilities soon (don't hold me or Palm to this =p ).

That said, the 3 new security issues that I just found are valid, the two new issues from 1.0.4 were valid (though i believe found by internal Palm testing so no credit on these) and my original vulnerability was also valid. To that I must say, this is exciting.

Sadly no details, I am again waiting for patches and Palm to release details on each issue at their own pace.

Palm is responding very quickly and that is great for both the security world and anyone using a Palm Pre.


Wednesday, July 8, 2009

I sent Palm my new vulnerability disclosure

So I finally sent out my new vulnerability disclosure to Palm today. Sadly Google mangled my email so I had to resend it in Microsoft Word format(rtf), much apologies to Palm (if they are reading) for the double send, though its a good read. I wanted to thank Dan Czarnecki and "destinal" (from #webos-internals for helping me validate my findings.

PS - HTML redirection can be fun =p

Tuesday, July 7, 2009

New advisory

Hey all, sorry I have been quiet, but I have a new advisory I am trying to get out and I am on travel for the week. So check back in, in like a day and I will have more info. This will be pretty good if all my tests are true, think injection attacks :)


Saturday, July 4, 2009

Media Fuzzing

I started putting together some media fuzzers to test the streaming capabilities of the phone. To my surprise streaming certain types of music doesn't actually work, MP3's tested. I tried using m3u files, embedding m3u files and really was only ever able to get one track to work at a time before the media player just stopped working. Again, since this was me and I usually miss the simple things, I asked some people in #webos-internals and they seemed to have the same issues.

So I can't test certain portions of the phone because of old vulns I have that still need to be patched and now I cant test media streaming, guess ill move on to something else (with remote capabilities), what I am not sure at the moment.


Friday, July 3, 2009

4th of July and more fun =p

Last night, i decided to have an easy night and play with one of the minor (at the time) bugs I initially sent to PALM. Well after doing some fun things (and stupid)to exploit it, I had to re-flash my phone and manually edit some files to get my phone back up to speed. So roughly an hour+ later and help from my friends in #webos-internals (special thanks to mdklein) I was able to get my phone back to normal.

What would be really nice is if Palm sent me an SDK (I did sign up) so I don't keep breaking my phone =]

This sounds more scary than it is since im not allowed to provide details, but messing with contact lists can get hairy if you consider the threats that vcards and various other contact lists that Palm's WebOS doesn't ASK you to add to your phone. WebOS just downloads all your contacts from say Exchange, Gmail, whatever and adds them to your phone.

Special Thanks to Dan Czarnecki (coworker at Sypris Electronics and whom I found the first bug with in the room =p) who thought of vcards =p as a medium of transport.

I am going to send an update to Palm today and let them know the findings and again SADLY wait to report it, because I was specifically asked to wait until it was fixed to release information.

Tricking users into accepting bad vcards or other contact information links and the like is always a fun day =)

Happy start to your weekend =]


Wednesday, July 1, 2009

Palm Contacts Me

So, Palm contacted me back and informed me that the two vulnerabilities I had found were "known issues" and already fixed in an/the upcoming patch. What is interesting about this is I only reported one bug to Palm and I received an email stating that "these" were already fixed, so I guess he read my blog update last night when I first reported two new bugs =p, Hi Brian!!. Just to clarify, I will not usually quote email traffic/dialog on vulnerabilities I have, but that was interesting.

I must say, that I had spent 1 hour (since the update crashed my Pre) the night 1.0.4 WebOS update was released and figured out that a new bug existed. I then reported the new bug to palm the next day after lunch (EST). I then spent 2-3 hours last night deciphering what the bug meant and narrowing its scope enough to provide a very accurate way to reproduce it. So I guess I was surprised to be told that it had already been fixed.

Upon further review last night, it seems my original bug was not "completely" fixed and I will not be able to release any information on it as it directly relates to the new bugs that I reported. Since Palm is fixing my new bugs (no credit on these) in an upcoming release I will hold off information on them as well.

Back to Fuzzing =p