Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/23/2010
04:52 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

"This is a simple attack process with severe impact to end users. In the condition of remote command and control, this could [be] used in many of the same ways as a botnet: submitting spam, clickjacking, ad revenue," Barrera says. The researchers tested exploits on Palm Pre running WebOS version 1.4.X.

Meanwhile, HP has fixed the "Contacts" application issue as of the WebOS 2.0 beta, but the researchers have found a mix of other bugs, including ones of the floating-point overflow, denial-of-service, and cross-site scripting variety, in the new beta version of the smartphone platform.

Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. "Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable," Herrera says.

WebOS is less secure than other smartphones mainly because the intent of the environment was to simplify application development, he says. "The WebOS platform cuts out the middleman; the delivery mechanism is the device compromised since the local system commands can be leveraged by Web technologies like JavaScript," Herrera says. "This is not to say that other mobile operating systems are devoid of flaws. It just means that [Palm's] intent of creating an environment to ease application development also resulted in easing the development of exploitation."

The researchers found that the "Company" field in the Contacts app window was "unsanitized," so they were able to inject code that ultimately grabbed the Palm's database file with emails, email addresses, contact list, and other information. In a second attack, they inserted a JavaScript hook to use keyloggers and other tools. That could then be used by bad guys to build a mobile botnet, for instance.

"By not properly sanitizing user-supplied content prior to it being included within the user interface, conditions are created where user-supplied content can execute commands against the system and modify the user experience," Herrera says. "Developers should keep in mind that data from third-party sources can be dangerous, whether it's from a company or an anonymous user. Measures should be put in place to validate and modify any form of malicious content to prevent local exploitation."

To date, most real-world attacks on smartphones have been relatively benign, but security experts such as Herrera and Barrera predict that all will soon change as these devices get smarter and become more of a work tool for mobile users.

"We believe there is more work to be done in the mobile sector with regard to security. We hope that our work helps end users understand the risks related to using mobile devices for day-to-day activities and communication," Barrera says.

This isn't the first time Palm Pre smartphones have been hacked by researchers. A proof-of-concept attack exploiting an email flaw was released last year, and an SMS injection flaw was demonstrated earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3272
PUBLISHED: 2021-01-27
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.
CVE-2021-3317
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
CVE-2013-2512
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
CVE-2021-3165
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
CVE-2021-1070
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...