@stake Advisory: Palm OS Password Lockout Bypass (A030101-1)

Thu, 01 Mar 2001 13:50:06 -0800 


                             @stake, Inc.
                           www.atstake.com

                    Security Advisory Notification      
       
Advisory Name: Palm OS Password Lockout Bypass
 Release Date: 03/01/2001
  Application: Palm OS 3.5.2 and below
     Platform: All Palm OS Devices
     Severity: Passwords and data can easily be
               obtained through a backdoor in Palm OS,
               even if the device is "locked". 
       Author: Kingpin [[EMAIL PROTECTED]]
Vendor Status: Vendor responded via email, see response section
          CVE: CAN-2001-0157
    Reference: www.atstake.com/research/advisories/2001/a030101-1.txt


Summary:

    The Palm operating system (OS) Security application provides "system
lockout" functionality in which the Palm device will not be operational
until the correct password is entered. The password is also used to 
protect and hide records by the legitimate user by marking them as 
"Private". These mechanisms are meant to prevent an unauthorized user 
from reading data or running applications on the device. 


    A backdoor exists in Palm OS which provides source- and assembly-
level debugging of executables and the administration of databases 
existing on the physical device. Although this backdoor is documented 
for debugging purposes, it can be activated even if the Palm OS 
lockout functionality is enabled. This will allow an unauthorized user
to perform a number of commands including, but not limited to, 
retrieving an encoded form of the system password, obtaining all 
database and record information on the device, and installing or 
deleting applications. 

    The system lockout mechanism is currently assumed by most users to 
be a sufficient protection feature of the Palm operating system. This 
is not the case and is a severe weaknesses for particular deployments 
of Palm OS devices.


Vendor Response:

Vendor responded via email that Palm OS 4.0 will fix the problem when
it ships. 


Advisory Reference:

http://www.atstake.com/research/advisories/2001/a030101-1.txt

** The advisory contains additional information.  We encourage those
** effected by this issue to read the advisory. 
**
** All vulnerablity database maintainers should reference the above
** advisory reference URL to refer to this advisory.

Advisory policy: http://www.atstake.com/research/policy/
For more advisories: http://www.atstake.com/research/advisories/
PGP Key: http://www.atstake.com/research/pgp_key.asc

Copyright 2001 @stake, Inc. All rights reserved.


-- 
For information on using the Palm Developer Forums, or to unsubscribe, please see 
http://www.palmos.com/dev/tech/support/forums/

Reply via email to