Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/23/2010
04:52 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

"This is a simple attack process with severe impact to end users. In the condition of remote command and control, this could [be] used in many of the same ways as a botnet: submitting spam, clickjacking, ad revenue," Barrera says. The researchers tested exploits on Palm Pre running WebOS version 1.4.X.

Meanwhile, HP has fixed the "Contacts" application issue as of the WebOS 2.0 beta, but the researchers have found a mix of other bugs, including ones of the floating-point overflow, denial-of-service, and cross-site scripting variety, in the new beta version of the smartphone platform.

Some inherent design elements of WebOS leave it prone to XSS and other attacks, they say. "Any mobile computing device with Internet connectivity running WebOS with its current feature set would be vulnerable," Herrera says.

WebOS is less secure than other smartphones mainly because the intent of the environment was to simplify application development, he says. "The WebOS platform cuts out the middleman; the delivery mechanism is the device compromised since the local system commands can be leveraged by Web technologies like JavaScript," Herrera says. "This is not to say that other mobile operating systems are devoid of flaws. It just means that [Palm's] intent of creating an environment to ease application development also resulted in easing the development of exploitation."

The researchers found that the "Company" field in the Contacts app window was "unsanitized," so they were able to inject code that ultimately grabbed the Palm's database file with emails, email addresses, contact list, and other information. In a second attack, they inserted a JavaScript hook to use keyloggers and other tools. That could then be used by bad guys to build a mobile botnet, for instance.

"By not properly sanitizing user-supplied content prior to it being included within the user interface, conditions are created where user-supplied content can execute commands against the system and modify the user experience," Herrera says. "Developers should keep in mind that data from third-party sources can be dangerous, whether it's from a company or an anonymous user. Measures should be put in place to validate and modify any form of malicious content to prevent local exploitation."

To date, most real-world attacks on smartphones have been relatively benign, but security experts such as Herrera and Barrera predict that all will soon change as these devices get smarter and become more of a work tool for mobile users.

"We believe there is more work to be done in the mobile sector with regard to security. We hope that our work helps end users understand the risks related to using mobile devices for day-to-day activities and communication," Barrera says.

This isn't the first time Palm Pre smartphones have been hacked by researchers. A proof-of-concept attack exploiting an email flaw was released last year, and an SMS injection flaw was demonstrated earlier this year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27706
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBind...
CVE-2021-27707
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIn...
CVE-2021-28098
PUBLISHED: 2021-04-14
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for...
CVE-2021-30493
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wor...
CVE-2021-30494
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wo...