[TEHTRI-Security] CVE-2010-2599: Update your BlackBerry

2011-01-24T00:00:00
ID SECURITYVULNS:DOC:25534
Type securityvulns
Reporter Securityvulns
Modified 2011-01-24T00:00:00

Description

Gents,

BlackHat Washington DC has just finished, and we wanted to let you know that RIM officially released a patch for the vulnerability found by TEHTRI-Security in BlackBerry devices, and covered during our talk: "Inglourious Hackerds: Targeting Web Clients".

The 0day created by TEHTRI-Security affects the BlackBerry browser application of the following software versions:

  • BlackBerry Device Software versions earlier than 6.0.0

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 5.0 (Partial DoS in the BlackBerry browser application), but could be used for sharp & evil purpose by those who know how to play with such kind of stuff.

Basically, thanks to our 0day, an attacker could maliciously craft a web page such that, when the BlackBerry device user views the page on a device running the affected BlackBerry Device Software, the browser application becomes unresponsive.

To quote RIM web site, the BlackBerry device subsequently terminates the browser, and the browser eventually restarts and displays an error message.

Successful exploitation of this issue relies on the user viewing the maliciously crafted web page on a device running the affected BlackBerry Device Software. The impact is limited to a partial Denial of Service (DoS) in the browser application in use on the BlackBerry device.

What was quite funny is that, with little tweaks (based on incoming User-Agent + sizes of buffers + payloads...) our 0day also worked against HTC Windows, Apple iPhone/iPod (CVE-2010-1752) and Google Android devices, with different kind of results. It's all related to a flaw in the way those devices try to handle HTML codes, based on some concepts taken from the HTTP RFC directly...

To avoid the spread of annoying exploits, that would target customers of Google, RIM, Apple & HTC, we only shared some information with the vendors and during the BlackHat DC event, but our slides on BlackHat.com will also contain part of information.

If you want to go further, here are some useful links:

  • Official RIM web page dealing with our 0Day: http://www.blackberry.com/btsc/KB24841

  • BlackHat Washington DC: https://www.blackhat.com/html/bh-dc-11/bh-dc-11-schedule.html

  • Mitre CVE Entry http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2599

  • Gartner.com Blog Entry about our talk @BHDC: http://blogs.gartner.com/john_pescatore/2011/01/20/if-a-toy-breaks-in-a-work-forest-will-the-toy-vendor-hear-a-noise-and-fix-it/

  • NetworkWorld Press Article about our talk @BHDC: http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html

  • TEHTRI-Security Blog: http://blog.tehtri-security.com/2011/01/blackhat-dc-2011-inglourious-hackerds.html

We would like to thanks the security experts of RIM who came to our talk in Washington, and who took time there to share explanations with our attendees in order to show how they mitigated our findings by handling those issues with all the carriers involved worldwide (what an incredible task).

On our side, we got technical fun by doing technical penetration tests on those devices, and this is how we found such 0days. We do think that basic tests are not always done properly because of consumerization, money & time issues, etc.

Recently, we found 0days against IP Camera surveillance, etc, by doing penetration tests. We live in world where everything has to be clean, beautiful, quick, easy, marketable, and certified. But what about IT Security, while everything gets more and more complex... We now all get Certified non-Ethically Hackable...

"Good night, and Good luck."

Best regards,

Laurent OUDOT, from Washington DC, USA @BlackHatDC Briefings ( http://blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Oudot )

TEHTRI-Security - "This is not a Game." http://www.tehtri-security.com/ http://twitter/tehtris