[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Palm Pre WebOS 1.0.4 Remote execution of arbitrary HTML code vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Palm Pre WebOS 1.0.4 Remote execution of arbitrary HTML code vulnerability
From: palmprehacker@xxxxxxxxx
Date: Mon, 3 Aug 2009 21:06:32 -0600

I. Description

The Palm Pre WebOS version 1.0.4 and below allows a remote attacker to execute 
arbitrary HTML code on the phone via certain applications. The affected 
applications involve the native email client via the notifications system as 
well as the native calendar application.

The vendor has been contacted and a patch has been released:

WebOS 1.1 - 
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#11

II. Impact

Email Notification System:

A remote attacker is able to construct a malicious email that will cause the 
Palm Pre WebOS to execute arbitrary HTML code if the notification system is 
enabled.  Upon receiving a malicious email where the FROM field contains HTML 
code, the Palm Pre WebOS will issue a user a notification that an email has 
arrived and execute the HTML code of the attacker?s choice.  This vulnerability 
does not require user interaction.

Calendar Application:

A remote attacker can create a malicious calendar event putting arbitrary HTML 
code inside the event/title field that can be executed without user 
interaction.  To trigger this vulnerability, any of the following conditions 
can occur:

1.  The victim Views the Calendar event and the malicious HTML will be executed.
2.  The victim enables a reminder notice for the malicious calendar event, upon 
being notified of the reminder, the
     malicious HTML code will be executed.
3.  The calendar event triggers and the malicious HTML code will be executed.

In cases where calendar events can be sent to users without 
interaction/acceptance, the risk of this vulnerability is higher.

III. Proof of Concept

The following HTML code can be used to provide a proof of concept for each of 
the vulnerabilities listed in this advisory:

"Test <META http-equiv="refresh" content="1;URL=http://www.google.com";>"

IV. About

This vulnerability was discovered by Townsend Ladd Harris 
PalmPreHacker[at]gmail.com

Details of this vulnerability can be found at: 
http://tlhsecurity.blogspot.com/2009/08/palm-pre-webos-104-remote-execution-of.html

Prev by Date: SAP Business One 2005 Remote Buffer Overflow Vulnerability.
Next by Date: [BONSAI] SQL Injection in CS-Cart
Previous by thread: SAP Business One 2005 Remote Buffer Overflow Vulnerability.
Next by thread: [BONSAI] SQL Injection in CS-Cart
Index(es):
- Date
- Thread