Palm OS Treo Vulnerability: Find Feature Information Disclosure

chiru · 02/14/2007, 08:33 PM

I am not sure if this was shared on the forums, there is a vulnerability disclosure by Symantec. Here is the link

http://www.securityfocus.com/archive/1/460059
http://www.securityfocus.com/bid/22468/info

Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory

Advisory ID: SYMSA-2007-002
Advisory Title: Palm OS Treo Find Feature System Password Bypass
Authors: J.R. Wikes, Matt Cooley, & Scott King
Release Date: 14-02-2007
Application: N/A
Platforms: Palm OS Treo smart phones - Tested on Verizon,
Sprint, & Cingular Treo 650 (Treo650-1.03a-VZW &
Treo650-1.12-SPCS), Cingular Treo 680, and
Sprint/Verizon Treo 700p phones
Severity: Locally exploitable
Vendor status: Verified by vendor. No patch forthcoming.
CVE Number: CVE-2007-0859

Palm OS Treo smartphones are equipped with a system password lock
to secure contents of handheld data from unauthorized access.
When this lock is engaged, Treo's built-in Find feature is still
accessible and can be used to perform searches on text in Treo
applications and databases (e.g. SMS Messages, Memos, Calendar,
Tasks, etc). Search results are accessible, and depending on
their size, may be truncated. An attacker may use this
vulnerability to retrieve information from a locked device.

Most folks use the system lock feature if they are using Good messaging etc.
No patch or response from Palm as of now.

-Chiru

dkirker · 02/14/2007, 09:49 PM

I could not reproduce the symptom where the find feature could be accessed when making an emergency call on my Treo 700p (Verizon). I did not dial any numbers, or test the incoming call issue.

gtwo · 02/14/2007, 10:10 PM

I could not reproduce this system lockout "weakness" on a Sprint 700P . . . . . .

10:35PM EDIT Correction -- I am able to reproduce this flaw when an incoming call is accepted. The find function becomes operable. . . . .

bclinger · 02/14/2007, 10:13 PM

Neither here and I use TealLock 6.
Ben

sck_nogas · 02/15/2007, 11:55 AM

I can confirm this on my Verizon Treo 700p.

What I did was...

Go to "Security" app.
Select "Lock & Turn Off" after having a password assigned, of course.
Then tried the "Find" button by hitting the "black" button and the left shift... It did not open.
So, went to "Make Emergency Call" and tried again... This time I could search all my contacts and meetings, etc...
HINT: Search for the vowels... "a" then "e" then "i" etc... All of your names should have at least one.

So, this is not good.

Scott (Oh, look a vowel!)

HandyDJs.com · 02/15/2007, 12:07 PM

Quote:

Originally Posted by sck_nogas

I can confirm this on my Verizon Treo 700p.

What I did was...

Go to "Security" app.
Select "Lock & Turn Off" after having a password assigned, of course.
Then tried the "Find" button by hitting the "black" button and the left shift... It did not open.
So, went to "Make Emergency Call" and tried again... This time I could search all my contacts and meetings, etc...
HINT: Search for the vowels... "a" then "e" then "i" etc... All of your names should have at least one.

So then I tapped on those findings and then nothing happens - takes me back to the dial screen. Tried on both my 650 and 700p.

Same thing when accepting an incoming call - can see search results, but cannot activate them. Can paste from clipboard into find window. THat's about all. Unlikely any sensitive stuff there.

I do have Butler installed on both my 650 (1.13 Sprint firmware) and Sprint 700p (1.08 firmware) and am using the Butler key lock - but I don't think that makes any difference as the keylock is inactive at this point.

bclinger · 02/15/2007, 01:51 PM

I checked also while the device was actually calling my other cell phone and was able to obtain information; however, I could not activate any applications or defeat the security any further than this. This with TealLock 6.

Ben

dkirker · 02/15/2007, 05:45 PM

I still cannot get into the find screen, either in an active call or from the emergency call screen. I am curious now as to why (with no intentions of hard resetting to find out).

EDIT: Oh! I think I know. Maybe Genius?

dkirker · 02/15/2007, 05:47 PM

Yup, Genius can save you

AGGHHH!!! People can see what I have spent in my checking application!

ttrundle · 02/15/2007, 05:56 PM

This is not 700P only, therefore I posted in General chat today.

dkirker · 02/15/2007, 07:09 PM

I have created a little fix that prevents the find key from working when the device is locked. I will post it soon.

I tested it on my 700p, so it should work on the 650 and 680.

dkirker · 02/15/2007, 07:43 PM

Ok, this is the first build.

I have tested it on a Verizon Treo 700p and it works.

PLEASE: Back up your device before installing. I take no responsibility for any loss of data. This is provided without warranty.

gtwo · 02/15/2007, 08:15 PM

Guinea Pig #1 reporting in:

Sprint Treo 700P, can no longer initiate the find feature now when the phone is "woke up" by a phone call.

What else do I test?

Thanks dkirker!!!!!!!!!!!!!!!!

dkirker · 02/15/2007, 08:19 PM

No problem!!

Try going into the Emergency Call screen when the device is locked.

Also, try to make sure that you can access the find feature when the device is unlocked.

Repeat this a few times in various orders.

Also, keep an eye out for any issues that may have now come up. The fix should not have created any issues, but I do have to listen for a few internal things (key presses and the lock broadcast).

Also, watch for any major performance hits.

gtwo · 02/15/2007, 08:24 PM

Quote:

Originally Posted by dkirker

No problem!!

Try going into the Emergency Call screen when the device is locked.
Check -- cannot open find

Also, try to make sure that you can access the find feature when the device is unlocked.
Check -- works as before

Repeat this a few times in various orders.
Have done, will do more

Also, keep an eye out for any issues that may have now come up. The fix should not have created any issues, but I do have to listen for a few internal things (key presses and the lock broadcast).

Also, watch for any major performance hits.
None so far.

Cheers, Perry.

dkirker · 02/15/2007, 08:25 PM

I have also tested this with Genius (which traps the find key when the device is locked anyway), and there are no issues.

dkirker · 02/15/2007, 08:29 PM

As a note, I have not tested for this yet, but if you have a "locker" application, it might be worth locking this application into the dbcache.

gtwo · 02/15/2007, 08:36 PM

LOL

Ya know --after reading that post, I now know what you are talking about, but untill this moment I had no idea that could be done. I assume locking a .prc into dbcache protects it some how and I also assume that clearing the dbcache will have no effect on such a locked file . . . . . .

As you can guess -- I have no such "locker" program.

Cheers, Perry.

dkirker · 02/15/2007, 08:39 PM

You should be fine. My only concern is on devices where they automatically flush the dbcache. It *may* flush out the fix, then either making the device unstable or vulnerable. I have not tested this, yet.

gtwo · 02/15/2007, 08:46 PM

I have Blazer set to flush the cache on exit. . . . should I change this?

EDIT: I have been in and out of Blazer twice now and the fix stays in place. . . . .

Should the find function be accessible from Blazer?
If it should, it is now not, but I have never tried it from Blazer before . . . . .

Hmm. . . . find no longer accessible from anything. . . .
Soft reset . . . .no good
Using FileZ to delete the fix file. . . .
Find now working
Yes, it is accessible from Blazer!

I can re-install and try some other things. . . .
Any ideas?

Reinstalled via the hotsync process -- and now cannot open find anywhere. . .
deleted the fix file again and find is back . . . .

Suggestions?