Thursday, August 27, 2009

No update for WebOS yet.

I really thought today would be the new update for Palm's WebOS, does not seem so. It is still early, however since Canada's Bell Pre is running WebOS version 1.1, I am skeptical of a new update today (though we did get an update the day the phone was released on Sprint).

As a side note, I had a chance to meet a gentlemen named Chris Clark (from who is also doing some Palm Pre research. Very nice guy with some very interesting knowledge of the phone already. Hoping at some point we can team up on some work in the area. Thanks for the conversation Chris!

Ever vigilant for a new release...


Sunday, August 23, 2009

SMS injection

I can now inject arbitrary data into SMS fields that cause some fun rendering issues when viewing them, however nothing that is extremely exciting. I need to take a step back and see how I can interact with Mojo from an app standpoint and will continue to tear apart WebOS now that some of the low hanging fruit has been released. Be patient though, a very exciting vulnerability disclosure may get released by me, hopefully the patch is going to get released this week (rumor only).

I currently have two vulns for versions WebOS 1.1 and lower that have yet to be published and I have created a movie demonstrating each of them and. They be released whenever palm puts out the patch. Palm is very odd in not letting me know as to when the patch is going to be released so I can put out my advisories.....


Wednesday, August 19, 2009


Sorry for not posting, been on vacation in New Jersey. I have been working on a slightly bleh SMS bug for the Pre, nothing to write home about yet. Spoke with Palm about releasing my exploit video and it was explained to me that it would be best to wait till it is patched, though a date was not given as to when it will be patched.

On a side note, I will be speaking at the Sandia Malware conference on September 21-25th on the Palm Pre and it should be fun =p

Going to get back into research this week, maybe we can find something new.


Tuesday, August 11, 2009

Do you have an LG ENV 2 Cell phone? Hope Not

I was trying to play a prank on my buddy Chris Sandulow using my new SMS spoofer and instead of playing a funny joke I actually crashed his phone. If you own a LG ENV 2 on Verizon and someone sends you an specially crafted HTML encoded email to a specific email2SMS gateway your phone will crash without any interaction from you =p Having said that, if your phone is plugged in at the time you receive the sms, it will turn it off.

Thanks Chris for being a guinea pig =p

I am holding back a little key to all of this, but not much :-)

If you ever have any interest in my research contact me at PalmPreHacker [at ]

Sunday, August 9, 2009

Talked to Palm

I spoke to Palm's security Webos big guy and was told that the two vulnerabilities, a DoS based on the browser and a pretty big one that lets me have access to things i shouldn't from remote, were both confirmed. I am told the latter has mitigating factors, but I really have not seen any. I have asked them a few questions on mitigating factors, I just have not received an answer back. Palm's security guy is very responsive and great to deal with so I am sure he will let me know.

As a side note, I started playing with SMS and found a nice "feature" using common email2SMS gateways that allow me to send text messages anonymously, through code, so that the receivers do not know where it came from (namely FROM emails addresses). This isn't huge, but it can be fun to play with your friends =p


Thursday, August 6, 2009

Secunia updates, well sort of

So I was wondering when Secunia was going to update and show my new vulnerability so I went looking on the site. Turns out they did not give me a new advisory for a completely different vulnerability and instead merged it into the old one I posted. I am disappointed in that :(

Link is here: Secunia (Bugtraq) did not even let it hit the vulnerabilities list, ignored the 2nd vulnerability in the disclosure, now this....

Not feeling the love.


Tuesday, August 4, 2009

Bugtraq Posts Advisory

Bugtraq posted my advisory today. You can check it out here:, odd they didnt include the calender bugs....


Monday, August 3, 2009

Palm Pre WebOS 1.0.4 Remote execution of arbitrary HTML code vulnerability

Back from Defcon and I submitted this vulnerability to the usual lists. Enjoy, I have more =p

I. Description

The Palm Pre WebOS version 1.0.4 (previous version as well) allows a remote attacker to execute arbitrary HTML code on the phone via certain applications. The affected applications involve the native email application via the notifications system as well as the native calendar application.

The vendor has been contacted and a patch has been released:

WebOS 1.1 - Here

II. Impact

Email Notification System:

A remote attacker is able to construct a malicious email that will cause the Palm Pre WebOS to execute arbitrary HTML code if the notification system is enabled. Upon receiving a malicious email where the FROM field contains HTML code, the Palm Pre WebOS will issue a user a notification that an email has arrived and execute the HTML code of the attacker’s choice. This vulnerability does not require user interaction.

Calendar Application:

A remote attacker can create a malicious calendar event putting arbitrary HTML code inside the event/title field that can be executed without user interaction. To trigger this vulnerability, one of the following conditions must occur:

1. The victim Views the Calendar event and the malicious HTML will be executed.
2. The victim enables a reminder notice for the malicious calendar event, upon being notified of the reminder, the
malicious HTML code will be executed.
3. The calendar event triggers and the malicious HTML code will be executed.

In cases where calendar events can be sent to users without interaction/acceptance, the risk of this vulnerability is higher.

III. Proof of Concept

The following HTML code can be used to provide a proof of concept for each of the vulnerabilities listed in this advisory:

"Test <META http-equiv="refresh" content="1;URL=">"

Thanks: My Wife and daughter (gave time to work =] ), Dan Czarnecki, Chris Rohlf, Jeremy Rasmussen

Saturday, August 1, 2009


At Defcon having a great time, seeing some nice talks on mobile devices and wish i could have presented. Palm responded rapidly confirming my latest issue that pretty much is a game over vuln =p. They are working on the total impact though....