Categories: SecurityWorkspace

Researchers Uncover Palm webOS Security Bugs

Security researchers have uncovered critical flaws in webOS, including a cross-site scripting issue that could be used to gain remote control of devices and possibly build a botnet.

WebOS is the operating system used in Palm smartphones. The issues were uncovered by Orlando Barrera and Daniel Herrera of SecTheory, who discovered a total of three unique flaws – a floating-point overflow issue, a denial of service bug and the cross-site scripting vulnerability. The researchers presented their findings on Wednesday at the Austin Hacker Association meeting in Texas.

Cross-site scripting issue

According to Barrera, the vulnerabilities can be used by an attacker in a number of ways to threaten security.

“For example utilising the cross-site scripting issue we are able to conduct the following attacks: remote command and control, by using JavaScript to dynamically modify the user experience an attacker is able to control aspects of the device over time,” he said. “This in essence is the foundation of a botnet, (and) with time and effort I believe it is feasible for an attacker to complete a functional command and control program for this device.”

In addition, the researchers were able to use XML HTTP Requests to access the local file system via “localhost”. Due to the access permissions associated to the web user, the researchers were able to read the local database file, Barrera said.

“This allowed us to exfiltrate sensitive user data stored within the database to a remote server under our control,” he added. “This database includes contact information, usernames, password hashes, and unencrypted communications like SMS and email.”

The specific cross-site scripting injection flaw used by the duo to demonstrate the attacks was fixed by Palm as of the webOS 2.0 beta. However, webOS 2.0 remains susceptible to the floating-point overflow and denial of service issues, Barrera said.

Injection attacks

“Once we understood the design it was just a matter of identifying applications where: user-supplied content is visually presented to the user, and ideally from a remote source,” Herrera said. “The ‘Sync’ feature of the default “Contacts” application had both desired attributes allowing us to create and demonstrate the impact of these types of injection attacks against the webOS platform.”

The researchers conducted their work on webOS version 1.4.x and the webOS 2.0 beta platforms developed by Palm. This is not the first time the security community has poked around on Palm devices. Earlier this year for example, the Intrepidus Group detailed a vulnerability impacting webOS’ SMS client.

“The user experience in webOS is constructed similar to a web application: mark-up rendering (HTML/CSS) is used for the visual elements, JavaScript is used for dynamic updating/modification, and system commands are communicated via HTTP locally,” Herrera added. “This design leaves the webOS susceptible to attacks similar to Cross-site Scripting. If user-supplied content is not properly sanitised prior to it being included within the user interface, conditions are created where this content can execute commands against the system and modify the user experience.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago