Handspring Visors equipped with the VisorPhone Springboard module can crash when receiving large SMS images from other mobile devices.
Handspring Visor is a Palm-OS-based personal digital assistant (PDA) that features a proprietary plug-in hardware expansion technology named Springboard. Handspring VisorPhone is a Springboard module that plugs into a Visor to provide GSM telephony and networking services. VisorPhone is designed to receive and store Short Message Service (SMS) communications such as text messages.
Certain other SMS-enabled devices can send and receive images through SMS. When the VisorPhone receives a large or crafted SMS image from one of these other devices, the VisorPhone database may become corrupted, and the Visor may also crash and require a reset (reboot) to resume function. Since images are generally larger than short text messages, the crash and corruption may result from a buffer-overflow vulnerability in the VisorPhone firmware or software.
Keyboard Hack 2
In tests by Brian Wright and Jonathan Pitts, VisorPhone versions 1.0 and 1.0.1 both appear susceptible to crashing, and database corruption appeared in version 1.0. The possibility of database corruption in version 1.0.1 was not verified.
When this vulnerability is exploited to crash the system, PalmOS displays the following message:
memorymgr.c, line:4340, NULL handle
The Visor may crash, requiring a reset to resume function. In addition, the VisorPhone database -- which contains call logs, archived messages, custom messages, and other data -- may become irreversibly corrupted.
The CERT/CC is currently unaware of a practical solution to this problem.
Disabling software extensions may prevent crashing due to this vulnerability.
Thanks to Brian Wright and Jonathan Pitts for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-24|
|Date Last Updated:||2002-09-24 15:52 UTC|