{"vuid":"VU#222739","idnumber":"222739","name":"Handspring VisorPhone vulnerable to DoS via SMS image transfer","keywords":["Handspring","Visor","VisorPhone","Springboard","3Com","Palm OS","DoS","denial of service","SMS images"],"overview":"Handspring Visors equipped with the VisorPhone Springboard module can crash when receiving large SMS images from other mobile devices.","clean_desc":"Handspring Visor is a Palm-OS-based personal digital assistant (PDA) that features a proprietary plug-in hardware expansion technology named Springboard. Handspring VisorPhone is a Springboard module that plugs into a Visor to provide GSM telephony and networking services. VisorPhone is designed to receive and store Short Message Service (SMS) communications such as text messages. Certain other SMS-enabled devices can send and receive images through SMS. When the VisorPhone receives a large or crafted SMS image from one of these other devices, the VisorPhone database may become corrupted, and the Visor may also crash and require a reset (reboot) to resume function. Since images are generally larger than short text messages, the crash and corruption may result from a buffer-overflow vulnerability in the VisorPhone firmware or software. The crashing and corruption symptoms may also result from one or more of the following optional, third-party software extensions, or from interaction between one or more of these extensions and the VisorPhone software: AfterBurner\nKeyboard Hack 2\nMulticlip\nPopup Note\nPopup Time\nTechSounds In tests by Brian Wright and Jonathan Pitts, VisorPhone versions 1.0 and 1.0.1 both appear susceptible to crashing, and database corruption appeared in version 1.0. The possibility of database corruption in version 1.0.1 was not verified. When this vulnerability is exploited to crash the system, PalmOS displays the following message: memorymgr.c, line:4340, NULL handle","impact":"The Visor may crash, requiring a reset to resume function. In addition, the VisorPhone database -- which contains call logs, archived messages, custom messages, and other data -- may become irreversibly corrupted.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"Disabling software extensions may prevent crashing due to this vulnerability.","sysaffected":"","thanks":"Thanks to Brian Wright and Jonathan Pitts for reporting this vulnerability.","author":"This document was written by Shawn Van Ittersum.","public":[],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-01-30T22:09:17Z","publicdate":"2001-10-22T00:00:00Z","datefirstpublished":"2002-09-24T15:52:37Z","dateupdated":"2002-09-24T15:52:41Z","revision":7,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"4","cam_population":"5","cam_impact":"3","cam_easeofexploitation":"12","cam_attackeraccessrequired":"15","cam_scorecurrent":"0.961875","cam_scorecurrentwidelyknown":"1.215","cam_scorecurrentwidelyknownexploited":"2.2275","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.961875,"vulnote":null}