Information Assurance |
Genevieve LaFrance |
Information AssuranceBugtraq Analysis |
What the problem is:Palm Pre WebOS versions <= 1.1 can be forced into a system crash. When the user is sent to a malicious web page, LunaSysMgr process will crash prompting reboot of system. This is considered a denial-of-service attack, as the user is prevented for a short time from using the computer resources due to reboot. Crash is due to a floating point error - when the webpage has 50280 bytes of data and then tries to refresh, size calculation of the exponent is too large to encode in the exponent field, leading to an overflow floating point error. Other possible floating point exceptions include underflow, zerodivide, invalid, inexact. Proof Of Concept: this code would trigger the crash on the Palm-Pre WebOS:"<meta http-equiv="refresh" content="1">PAGEHERE..." where PAGEHERE is greater 50280 characters. This is an important attack because vectors include email, AIM, SMA, or any other application that can load a URL.What could have prevented it:When a floating point exception is caught/detected, the error handler can provide an error message and a point of recovery through a signal with information about the floating point exception. Currently the error handler causes a core dump and reboot. What can be done to work around it:Palm developers have released a patch - newer OS systems and patched systems do not have the vulnerability. What can be done to prevent future occurances:Better coding of error handlers Better input checking - check all user input (even non-traditional forms of input like web code) Follow the IEEE Definitions - IEEE defines standard floating point exceptions, and a good coder should account for all possible listed exceptions Notes:I chose this error because there have been several mobile phone vulnerabilities that could have been prevented with input checking. Especially on mobile phone where space and battery is severly limited, programmers try to cut code and processes. A similar error occurred in July: when user clicked on URL with char length greater than 4063 characters the LunaSysMgr crashed. Looks like a reboot, but the LunaSysMgr service is stopping and starting via segfault. Code execution during this time was possible which is a critical vulnerability: remotely and locally exploitable machine.Sources: Bugtraq Report: http://www.securityfocus.com/archive/1/507126/30/60/threaded Blog Entry from T. L. Harris, credited with discovery of exploit: http://tlhsecurity.blogspot.com/2009/10/palm-pre-webos-version-11-floating.html Blog Entry from T.L. Harris, credited with discovery of July exploit: http://tlhsecurity.blogspot.com/2009/07/palm-pre-web-os-103-overly-long-url.html |