X-RDate: Wed, 22 Apr 1998 19:29:56 +0600 (YEKST)
X-UIDL: 35317d34000000ae
Date: Tue, 21 Apr 1998 22:50:55 -0400
From: Andrew <[email protected]>
To: [email protected]Subject: "Off By One IP Header" Exploit Against PalmOS 2.0.4
I was really bored the other day and decided to see if my PalmPilot was
susceptible to the widely distributed 'nestea' exploit. After cradling my
PalmPilot Pro, and establishing a PPP connection with an MTU of 1500, I
tried a nestea of one packet against the Pilot's IP. After about 2 to 3
seconds, the Pilot popped up an error window like:
______________________
| |
| |
| |
| ____________________ |
|| Fatal Error ||
||~~~~~~~~~~~~~~~~~~~~||
|| Fatal Exception ||
|| _____ ||
|| (Reset) ||
|| ~~~~~ ||
~~~~~~~~~~~~~~~~~~~~~~
I suffered no data loss, but it's kind of annoying to have to re-boot your
pilot. I've tried to contact 3Com, but I've received no response from
them as to where to report PalmOS bugs. Questions I'd like to pose to the
reader:
1) When dialing up with the normal Palm PPP stack (not PPP-over-cradle),
will the attack still work (ie, will it negotiate a high enough MTU to
allow the crash packet through).
2) Does it also affect PalmOS 3.x (and other 2.x, for that matter)?
3) Does anyone know where to report these bugs to 3Com?
Bye,
-=[ Andrew Hobgood ]|[ Kha0S@EFNet
