search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Handspring VisorPhone vulnerable to DoS via SMS image transfer

Vulnerability Note VU#222739

Original Release Date: 2002-09-24 | Last Revised: 2002-09-24

Overview

Handspring Visors equipped with the VisorPhone Springboard module can crash when receiving large SMS images from other mobile devices.

Description

Handspring Visor is a Palm-OS-based personal digital assistant (PDA) that features a proprietary plug-in hardware expansion technology named Springboard. Handspring VisorPhone is a Springboard module that plugs into a Visor to provide GSM telephony and networking services. VisorPhone is designed to receive and store Short Message Service (SMS) communications such as text messages.

Certain other SMS-enabled devices can send and receive images through SMS. When the VisorPhone receives a large or crafted SMS image from one of these other devices, the VisorPhone database may become corrupted, and the Visor may also crash and require a reset (reboot) to resume function. Since images are generally larger than short text messages, the crash and corruption may result from a buffer-overflow vulnerability in the VisorPhone firmware or software.

The crashing and corruption symptoms may also result from one or more of the following optional, third-party software extensions, or from interaction between one or more of these extensions and the VisorPhone software:

    AfterBurner
    Keyboard Hack 2
    Multiclip
    Popup Note
    Popup Time
    TechSounds

In tests by Brian Wright and Jonathan Pitts, VisorPhone versions 1.0 and 1.0.1 both appear susceptible to crashing, and database corruption appeared in version 1.0. The possibility of database corruption in version 1.0.1 was not verified.

When this vulnerability is exploited to crash the system, PalmOS displays the following message:

memorymgr.c, line:4340, NULL handle

Impact

The Visor may crash, requiring a reset to resume function. In addition, the VisorPhone database -- which contains call logs, archived messages, custom messages, and other data -- may become irreversibly corrupted.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Disabling software extensions may prevent crashing due to this vulnerability.

Vendor Information

222739
 
Expand all

Handspring Unknown

Updated:  January 30, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Palm Computing Unknown

Updated:  January 30, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Brian Wright and Jonathan Pitts for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.96
Date Public: 2001-10-22
Date First Published: 2002-09-24
Date Last Updated: 2002-09-24 15:52 UTC
Document Revision: 7

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis