Palm Pre WebOS <=1.1 Remote File Access Vulnerability
2009-10-06T00:00:00
ID SECURITYVULNS:DOC:22561 Type securityvulns Reporter Securityvulns Modified 2009-10-06T00:00:00
Description
I. Description
The Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on
the mobile device.
Palm has patched this vulnerability and all users are recommended to upgrade to WebOS version 1.2+.
Palm WebOS 1.2 patch information can be found here:
http://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#12
II. Impact
A specially crafted email can access any file on the Palm Pre WebOS version <=1.1 mobile device and send it to a web site
of the attacker's choice just by viewing the email.
III. Details
The Palm Pre WebOS 1.1 and lower will parse and execute JavaScript contained in an email it receives. Exploiting this
vulnerability allows an attacker to read/extract any file and post it to a remote website the attacker controls.
One particular file of interest is the "PalmDatabase.db3" file. Having this database file will give an attacker emails,
email addresses, contact list information including names, phone numbers, etc. Limitations with binary data have been
identified, however viewing binary data such as database files is still simple.
Proof of Concept
Creating an email with the following JavaScript in it will automatically upload a file of the attacker's choice to a remote
web server:
(Link provided instead of JS code )
http://tlhsecurity.com/advisories/FA_Code.jpg
To view a Flash demo of this exploit in action:
http://tlhsecurity.com/videos/FA.html
IV. About
This vulnerability was discovered by Townsend Ladd Harris <PalmPreHacker[at]gmail.com>
Vulnerability details will be maintained at
http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-11-remote-file-access.html
Special Thanks to :
- Chris Rohlf - Blog: http://em386.blogspot.com/
- Destinal #webos-internals (irc.freenode.com)
- Webos-Internals group #webos-internals (irc.freenode.com) http://www.webos-internals.org
- Bryce Kerley
- Dan Czarnecki
- Jeremy Rasmussen
{"id": "SECURITYVULNS:DOC:22561", "bulletinFamily": "software", "title": "Palm Pre WebOS <=1.1 Remote File Access Vulnerability", "description": "I. Description\r\n\r\nThe Palm Pre WebOS <=1.1 suffers from a JavaScript injection attack that allows a malicious attacker to access any file on\r\nthe mobile device.\r\n\r\nPalm has patched this vulnerability and all users are recommended to upgrade to WebOS version 1.2+. \r\n\r\nPalm WebOS 1.2 patch information can be found here:\r\nhttp://kb.palm.com/wps/portal/kb/na/pre/p100eww/sprint/solutions/article/50607_en.html#12\r\n\r\nII. Impact\r\n\r\nA specially crafted email can access any file on the Palm Pre WebOS version <=1.1 mobile device and send it to a web site\r\nof the attacker's choice just by viewing the email.\r\n\r\nIII. Details\r\n\r\nThe Palm Pre WebOS 1.1 and lower will parse and execute JavaScript contained in an email it receives. Exploiting this\r\nvulnerability allows an attacker to read/extract any file and post it to a remote website the attacker controls. \r\n\r\nOne particular file of interest is the "PalmDatabase.db3" file. Having this database file will give an attacker emails,\r\nemail addresses, contact list information including names, phone numbers, etc. Limitations with binary data have been\r\nidentified, however viewing binary data such as database files is still simple.\r\n\r\nProof of Concept\r\n\r\nCreating an email with the following JavaScript in it will automatically upload a file of the attacker's choice to a remote\r\nweb server:\r\n\r\n(Link provided instead of JS code )\r\n \r\nhttp://tlhsecurity.com/advisories/FA_Code.jpg\r\n\r\nTo view a Flash demo of this exploit in action: \r\n\r\nhttp://tlhsecurity.com/videos/FA.html\r\n\r\nIV. About\r\n\r\nThis vulnerability was discovered by Townsend Ladd Harris <PalmPreHacker[at]gmail.com>\r\n\r\nVulnerability details will be maintained at\r\nhttp://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-11-remote-file-access.html\r\n\r\nSpecial Thanks to :\r\n - Chris Rohlf - Blog: http://em386.blogspot.com/\r\n - Destinal #webos-internals (irc.freenode.com)\r\n - Webos-Internals group #webos-internals (irc.freenode.com) http://www.webos-internals.org\r\n - Bryce Kerley\r\n - Dan Czarnecki\r\n - Jeremy Rasmussen\r\n ", "published": "2009-10-06T00:00:00", "modified": "2009-10-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22561", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:31", "edition": 1, "viewCount": 4, "enchantments": {"score": {"value": 2.9, "vector": "NONE", "modified": "2018-08-31T11:10:31", "rev": 2}, "dependencies": {"references": [{"type": "nessus", "idList": ["EULEROS_SA-2020-1299.NASL", "DEBIAN_DLA-2164.NASL", "EULEROS_SA-2020-1323.NASL", "EULEROS_SA-2020-1314.NASL", "EULEROS_SA-2020-1318.NASL", "FREEBSD_PKG_40194E1C6D8911EA808280EE73419AF3.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892164", "OPENVAS:1361412562311220201299", "OPENVAS:1361412562311220201261", "OPENVAS:1361412562311220201323", "OPENVAS:1361412562311220201222", "OPENVAS:1361412562311220201318", "OPENVAS:1361412562311220201314"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2164-1:52F3C"]}, {"type": "zdt", "idList": ["1337DAY-ID-34153", "1337DAY-ID-34134"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10149"]}, {"type": "kitploit", "idList": ["KITPLOIT:1907207623071471216"]}, {"type": "mssecure", "idList": ["MSSECURE:057ED5C1C386380F0F149DBAC7F1F6EF"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156729"]}], "modified": "2018-08-31T11:10:31", "rev": 2}, "vulnersScore": 2.9}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **64[.]91.4.131** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 64.91.0.0, Last IP 64.91.26.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"Brinkley\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:70020D7E-64BE-3063-9DAD-1ADC262E41E7", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 64.91.4.131", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69[.]29.77.91** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **25**.\n First seen: 2021-01-12T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 22561: (First IP 69.29.60.0, Last IP 69.29.83.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"Columbia\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-12T00:00:00", "id": "RST:67EA9271-CF93-3852-9FEC-92DA338CBAF2", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 69.29.77.91", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69[.]29.78.107** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **23**.\n First seen: 2021-01-08T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 22561: (First IP 69.29.60.0, Last IP 69.29.83.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"Columbia\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-08T00:00:00", "id": "RST:5DB5471C-BF56-3172-9B11-7D7BF0604D47", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 69.29.78.107", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69[.]179.129.210** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **29**.\n First seen: 2021-01-10T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 22561: (First IP 69.179.80.0, Last IP 69.179.255.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"OFallon\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-10T00:00:00", "id": "RST:13E5BA4F-1E5F-3ED0-AB57-2DA6A150C3BA", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 69.179.129.210", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **69[.]179.38.78** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 69.179.36.0, Last IP 69.179.71.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:B87DE57B-902E-3ED8-90BF-2F98DD776C44", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 69.179.38.78", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **72[.]161.0.225** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 72.160.240.0, Last IP 72.161.47.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:F269246A-443D-3B16-86E1-13D5C3BE7756", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 72.161.0.225", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **72[.]161.12.229** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 72.160.240.0, Last IP 72.161.47.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:CCB58B86-88B5-3850-BC5D-316C05E2295C", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 72.161.12.229", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **72[.]161.14.197** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 72.160.240.0, Last IP 72.161.47.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:01E336BE-CE07-3F92-94C2-0ABF94C6FE14", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 72.161.14.197", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **99[.]194.112.26** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 99.194.32.0, Last IP 99.194.127.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"Hinesville\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:67D25BA9-7F5E-3268-836F-6511940C0903", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 99.194.112.26", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-28T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **99[.]194.106.207** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **13**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-02-28T03:00:00.\n IOC tags: **generic**.\nASN 22561: (First IP 99.194.32.0, Last IP 99.194.127.255).\nASN Name \"CENTURYLINKLEGACYLIGHTCORE\" and Organisation \"CenturyTel Internet Holdings Inc\".\nASN hosts 1303 domains.\nGEO IP information: City \"Hinesville\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:6DF4E633-2082-3CC9-9C3A-4C554E61C462", "href": "", "published": "2021-03-01T00:00:00", "title": "RST Threat feed. IOC: 99.194.106.207", "type": "rst", "cvss": {}}]}
