[NEWS] Palm OS Treo Find Feature System Password Bypass

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Palm OS Treo Find Feature System Password Bypass
------------------------------------------------------------------------


SUMMARY

Palm OS Treo smartphones are equipped with a system password lock to
secure contents of handheld data from unauthorized access. When this lock
is engaged, Treo's built-in Find feature is still accessible and can be
used to perform searches on text in Treo applications and databases (e.g.
SMS Messages, Memos, Calendar, Tasks, etc). Search results are
accessible, and depending on their size, may be truncated. An attacker may
use this vulnerability to retrieve information from a locked device.

The built-in Find feature can also be used to access an Edit window and
paste previously cut or copied data into the search field of a locked
device. An attacker may use this vulnerability to view data that was cut
or copied from Treo applications prior to the device being locked.

DETAILS

Vulnerable Systems:
* Palm OS Treo smart phones - Tested on Verizon, Sprint, & Cingular Treo
650 (Treo650-1.03a-VZW & Treo650-1.12-SPCS), Cingular Treo 680, and
Sprint/Verizon Treo 700p phones

The Find feature can be accessed when the handheld is locked by issuing
keyboard shortcut keys on the Emergency Call screen and the Call In
Progress screen that is displayed when an incoming call is accepted. More
details for each of these methods is listed below.

Emergency Call Screen:
From the System Lockout screen, select 'Make Emergency Call'. Press the
keyboard shortcut keys for Find (Option Key + Find Key). This will open
the Find window on the bottom half of the screen. Enter the desired text
to search and click on 'OK'. (Searching on a single space usually returns
data)

To access the Edit window, press the Menu key while the Find window is
open. Select Paste from the Edit window to paste previously cut or copied
data in the Find window.

Call In Progress screen:
Accept an incoming call. Press the keyboard shortcut keys for Find (Option
Key + Find Key) during the call. This will open the Find window on the
bottom half of the screen. Enter the desired text to search and click on
'OK'. (Searching on a single space usually returns data)

To access the Edit window, press the Menu key while the Find window is
open. Select Paste from the Edit window to paste previously cut or copied
data in the Find window.

Note: The Find window will stay open after a call has been disconnected.
However, users will be returned to the Lockout screen when the find
results are closed.

Disclosure Timeline:
* 14-08-2006: Initial Vendor Notification.
* 06-09-2006: Vendor acknowledges receipt of vulnerability description.
* 06-09-2006: Vendor confirms vulnerability.
* 19-01-2007: Vendor decides not to fix vulnerability.
* 14-02-2007: Advisory released.

Fix:
In the interim of a patch being released to address this vulnerability,
users should be notified of this condition so that they may take
appropriate actions including encrypting sensitive handheld databases.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0859>
CVE-2007-0859


ADDITIONAL INFORMATION

The information has been provided by Symantec Vulnerability Research.
The original article can be found at:
<http://www.securityfocus.com/bid/22468>
http://www.securityfocus.com/bid/22468



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages