Security researchers have uncovered three flaws in the Linux-based WebOS platform used in Palm devices.
Security researchers uncovered critical flaws in WebOS, including a
cross-site scripting issue that could be used to gain remote control of devices
and possibly build a botnet.
WebOS is the operating system used in Palm smartphones. The issues were
uncovered by Orlando Barrera and Daniel Herrera of SecTheory, who discovered a
total of three unique flaws-a floating-point overflow issue, a denial-of-service
bug and the cross-site scripting vulnerability. The researchers are
expected to present their findings later today at the Austin Hacker Association
meeting in Texas.
According to Barrera, the vulnerabilities can be used by an attacker in a
number of ways
to threaten security
"For example, utilizing the cross-site scripting issue we are able to
to dynamically modify the user experience, an attacker
is able to control aspects
of the device over time," he said. "This
in essence is the foundation of a botnet, [and] with time and effort I believe
it is feasible for an attacker to complete a functional command and control
program for this device."
In addition, the researchers were able to use XML HTTP Requests to access
the local file system via "localhost." Due to the access permissions
associated to the Web user, the researchers were able to read the local
database file, Barrera said.
"This allowed us to exfiltrate sensitive user data stored within the
database to a remote server under our control," he added. "This
database includes contact information, usernames, password hashes, and
unencrypted communications like SMS and e-mail."
The specific cross-site scripting injection flaw used by the duo to
demonstrate the attacks was fixed by Palm as of the WebOS 2.0 beta. However, WebOS
2.0 remains susceptible to the floating-point overflow and denial-of-service
issues, Barrera said.
understood the design
it was just a matter of identifying applications
where user-supplied content is visually presented to the user, and ideally from
a remote source," Herrera said. "The 'Sync' feature of the default 'Contacts'
application had both desired attributes, allowing us to create and demonstrate
the impact of these types of injection attacks against the WebOS platform."
The researchers conducted their work on WebOS Version 1.4.x and the WebOS
2.0 beta platforms developed by Palm. This is not the first time the security
community has poked around on Palm devices. Earlier this year, for example,
a vulnerability impacting WebOS' SMS client.
"The user experience in WebOS is constructed similar to a Web application:
Markup rendering (HTML/CSS) is used for the
system commands are communicated via HTTP locally," Herrera added. "This
design leaves the WebOS susceptible to attacks similar to cross-site scripting. If
user-supplied content is not properly sanitized prior to it being included
within the user interface, conditions are created where this content can
execute commands against the system and modify the user experience."