All comments and opinions are the property of this individual,
and do not represent my employer(s) or their policies.
All content is provided "as is" with no warranties, assurances, or guarantees.
DISCLAIMER*
For educational purposes only.
"Copyright Disclaimer Under Section 107 of the Copyright Act 1976, allowance is made for fair use for purposes such as criticism, comment, news reporting, teaching, scholarship, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing. Non-profit, educational or personal use tips the balance in favor of fair use."

HP TouchPad WebOS3.0 - Remote Code PoC/Exploit

July 02, 2011

I find myself writing this information down not because I feel it is very interesting nor did I want to devote any more time to doing further security research on WebOS; however, due to the situation I was faced with when I attempted to notify the vendor of this security issue, I feel it necessary to inform the end user about any potential risks associated with using the current version of WebOS3.0. I have attempted on several occasions to make the vendor aware of certain issues related to the architecture on which WebOS is created but have been met with hostility and legal threats in response. I made Palm aware of security issues related to the “Sync” feature of WebOS in version 1.4.1, prior to the acquisition by HP. The issue was not addressed until the WebOS2.0 version release, after HP acquired the product. I was never given attribution from Palm or HP in regards to my security work on WebOS, but I was glad the software was "fixed". Then HP decided to revamp WebOS for the TouchPad, which brings us to WebOS3.0. As a software developer I obtained the WebOS3.0 SDK and began to code. It took me less than 30 minutes using the WebOS3.0 SDK to find some security issues. I made ZDI aware of the security issues related to WebOS3.0 and the security team at ZDI notified HP of the issue. On 05/04/2011 the ZDI team verified my case; however, the response from HP on the matter was denial of any security related issues and legal threats under NDA . As of 06/30/2011 the NDA for WebOS3.0 SDK was lifted for software developers and on 07/01/2011 HP released the TouchPad with WebOS3.0 installed as the Operating System, along with a few known security issues. Now, I really do like WebOS and the open source community of developers whom have contributed to the project; however, the response from HP does not reflect the nature of the open source community and has been legally aggressive towards developers whom try to make them aware of security issues. I have found my experience attempting to make vendors aware of security issues as a “Whitehat” independent security researcher has been met with the attitude of, it’s cheaper to ignore a security issue then to fix it. Are there legal protections for developers whom pursue responsible disclosure? I don’t know, but when that NDA hammer comes down it is scary, the thought of beign faced against a wall of HP lawyers and NDA’s which no one reads. That is why, with some hesitation; I am publishing this information for educational purposes. As an independent security researcher I want the end user to be secure, but security through ignorance is not security, it is just lying to the consumer.


webOS3.0 PoC | TouchPad XSS

webOS 1.4.x Security Research

November 29, 2010

Quick little back story: Last April or May I spent some time playing with the Palm Pre while I waited for the Nexus One phone from Google to come out. When my Nexus One phone arrived my wife stole it and left me with the Palm Pre. I liked the little Palm Pre phone; I got root the first day, and I loved using the Konami code "upupdowndownleftrightleftrightbastart" to get into Developer Mode, installed nmap and other tools on it. After using it for some time I began playing with simple HTML injection and found a host of issues. I notified Palm of the issues prior to the webOS 1.4.5 release; however, the issues were not addressed in that version. So, my code and research material sat in a folder on my hard drive for months. I had given the Palm security team full access to my server and Proof of Concept, how many "hackers" would be that nice? After five months passed I decided to release my findings at the Austin Hacker Association AHA . Soon darkreading picked up the story and interest in the security issues I found last summer took off. The issues presented are not major but I found them an interesting topic to do research on and present at AHA. I am a software developer and not a security researcher by profession, so I may have made mistakes in creating the presented materials. I did make every effort at responsible disclosure; however, leaving the end user at risk for months on end is not a solution to security. The videos and documents which I am releasing were created using the webOS 1.4.1 version; however, the issues were not patched in the webOS 1.4.5 release so the Proof of Concepts work for webOS 1.4.x versions. I created the video as a joke for one of my friends, so do not take the "hackerish" video demo to seriously (my attempt at hacker satire, and self mockery), I made it for fun over five months ago. I have not had any time to do further security research, but I still have some tricks up my sleeve ;-)
webOS1.4.x Security Research | webOS1.4.x Video Demo | webOS1.4.x Test Page

Firefox 3.6.3 - DOS PoC Exploit

June 03, 2010

DOS POC which 'may' be exploitable. If a user has the AVG Safe Search 9.0.0.825 add-on installed while running FF 3.6.3 on Vista a DEP violation can be triggered.
This issue may be levearaged my a malicious attacker to get remote code to execute in the context of the user.
Bug ID: 569953
PoC | Stack Trace | Screen Captures



Firefox 3.6 DOS

March 10, 2010

Just another lame DOS. PoC



Firefox 3.5.15 Crash with recursive web-worker calls

April 09, 2010

Cool, just got a check from Mozilla for a bug-bounty.

Mozilla Check

October 29, 2009

On Tuesday Mozilla released Firefox 3.5.4 for Windows, Mac, and Linux on Tuesday to patch six critical security holes and some other problems. One of those security holes was from my exploit which I submitted to Bugzilla on October 9, 2009, CVE.

I have been in contact with Daniel Veditz from Mozilla and it seems that they have fixed the issue which could lead to exploiting the browser, so I have decided to release my PoC.

The issue was in the new web workers which Firefox implemented in there version 3.5 release. I presented the issue at AHA and will post the slides along with the PoC. I originaly posted the proccess for exploiting the vulnerability on sla.ckers.org.

This is just the beginning, give me time, I will learn more and improve my skill set in security research.

Orlando Barrera II

ATM Cheat Sheet

October 29, 2009

First it was Tranax, then Triton, now Hyosung. When will the information leakage stop? Another example of default passwords on mini-atm compiled in a nice list ;) [ ATM-Cheat Sheet | PDF ].

Message to vendor (Hyosung):
I just wanted to inform your company that there is a security issue dealing with information leakage. The default passwords used to access the manager menu on your atm machines are available within the public domain. Using google hacking one is able to locate the operator manuals for several models of atms. If you have any questions please feel free to contact me. Regards

Sponsor Banners
RSS Feed
Support Free CSS