Palm webOS E-mail Notification and Calendar Event Filtering Flaws Let Remote Users Execute Arbitrary HTML Code
|
|
SecurityTracker Alert ID: 1022654 |
|
SecurityTracker URL: http://securitytracker.com/id/1022654
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 4 2009
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.0.4 and prior versions
|
Description:
A vulnerability was reported in Palm webOS. A remote user can cause arbitrary HTML code to be executed on the target user's system.
A remote user can create a specially crafted e-mail message that, when received by the target user, will execute arbitrary HTML code on the target system if the notification system is enabled.
A remote user can create a calendar event with a specially crafted event/title value. When the target user views the event or receives a reminder notice for the event or when the event occurs, arbitrary HTML code will be executed.
A demonstration exploit is provided:
"Test <META http-equiv="refresh" content="1;URL=http://www.google.com">"
The original advisory is available at:
http://tlhsecurity.blogspot.com/2009/08/palm-pre-webos-104-remote-execution-of.html
Townsend Ladd Harris reported this vulnerability.
|
Impact:
A remote user can create an e-mail or event that, when processed by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor has issued a fix (1.1.0).
The vendor's advisory is available at:
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#11
|
Vendor URL: www.palm.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 3 Aug 2009 21:06:32 -0600
Subject: Palm Pre WebOS 1.0.4 Remote execution of arbitrary HTML code
|
I. Description
The Palm Pre WebOS version 1.0.4 and below allows a remote attacker to execute arbitrary HTML code on the phone via certain applications.
The affected applications involve the native email client via the notifications system as well as the native calendar application.
The vendor has been contacted and a patch has been released:
WebOS 1.1 - http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#11
II. Impact
Email Notification System:
A remote attacker is able to construct a malicious email that will cause the Palm Pre WebOS to execute arbitrary HTML code if the
notification system is enabled. Upon receiving a malicious email where the FROM field contains HTML code, the Palm Pre WebOS will
issue a user a notification that an email has arrived and execute the HTML code of the attacker’s choice. This vulnerability does
not require user interaction.
Calendar Application:
A remote attacker can create a malicious calendar event putting arbitrary HTML code inside the event/title field that can be executed
without user interaction. To trigger this vulnerability, any of the following conditions can occur:
1. The victim Views the Calendar event and the malicious HTML will be executed.
2. The victim enables a reminder notice for the malicious calendar event, upon being notified of the reminder, the
malicious HTML code will be executed.
3. The calendar event triggers and the malicious HTML code will be executed.
In cases where calendar events can be sent to users without interaction/acceptance, the risk of this vulnerability is higher.
III. Proof of Concept
The following HTML code can be used to provide a proof of concept for each of the vulnerabilities listed in this advisory:
"Test <META http-equiv="refresh" content="1;URL=http://www.google.com">"
IV. About
This vulnerability was discovered by Townsend Ladd Harris PalmPreHacker[at]gmail.com
Details of this vulnerability can be found at: http://tlhsecurity.blogspot.com/2009/08/palm-pre-webos-104-remote-execution-of.html
|
|
