Palm OS Treo Find Feature Information Disclosure Vulnerability
BID:22468
Info
Palm OS Treo Find Feature Information Disclosure Vulnerability
| Bugtraq ID: | 22468 |
| Class: | Design Error |
| CVE: |
CVE-2007-0859 |
| Remote: | No |
| Local: | Yes |
| Published: | Feb 14 2007 12:00AM |
| Updated: | Feb 22 2007 07:46PM |
| Credit: | J.R. Wikes, Matt Cooley, and Scott King discovered this issue. |
| Vulnerable: |
Palm Treo 700p 0 Palm Treo 680 0 Palm Treo 650 |
| Not Vulnerable: | |
Discussion
Palm OS Treo Find Feature Information Disclosure Vulnerability
Palm OS Treo smartphones are vulnerable to a local information-disclosure vulnerability because the software fails to properly secure access to certain features when locked.
Successfully exploiting this issue allows attackers with physical access to affected devices to obtain potentially sensitive information. This may aid them in further attacks.
The following devices are known to be affected:
- Cingular Treo 650: Treo650-1.03a-VZW and Treo650-1.12-SPCS
- Cingular Treo 680
- Sprint/Verizon Treo 700p
Other versions of Treo smartphones are also likely affected.
Palm OS Treo smartphones are vulnerable to a local information-disclosure vulnerability because the software fails to properly secure access to certain features when locked.
Successfully exploiting this issue allows attackers with physical access to affected devices to obtain potentially sensitive information. This may aid them in further attacks.
The following devices are known to be affected:
- Cingular Treo 650: Treo650-1.03a-VZW and Treo650-1.12-SPCS
- Cingular Treo 680
- Sprint/Verizon Treo 700p
Other versions of Treo smartphones are also likely affected.
Exploit / POC
Palm OS Treo Find Feature Information Disclosure Vulnerability
Attackers can use built-in features of affected phones to exploit this issue.
Attackers can use built-in features of affected phones to exploit this issue.
Solution / Fix
Palm OS Treo Find Feature Information Disclosure Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
A third-party fix is availble from the following location:
http://discussion.treocentral.com/attachment.php?attachmentid=13701&d=1171597690
Symantec has neither verified nor tested this fix.
The vendor reports that a ROM update will be available soon to address this issue in affected devices.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
A third-party fix is availble from the following location:
http://discussion.treocentral.com/attachment.php?attachmentid=13701&d=1171597690
Symantec has neither verified nor tested this fix.
The vendor reports that a ROM update will be available soon to address this issue in affected devices.
References
Palm OS Treo Find Feature Information Disclosure Vulnerability
References:
References:
- Palm OS Treo Vulnerability: Find Feature Information Disclosure (TreoCentral)
- Palm Treo Smartphone Product Page (Palm)
- Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass ([email protected])
- SYMSA-2007-002-1: Palm OS Treo Find Feature System Password Bypass (Symantec)
- SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass ([email protected])