BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-13-2004, 05:46 PM   #1 (permalink)
New Member
 
Join Date: Aug 2004
Posts: 10
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Seems we'll have some work soon...

Please Login to Remove!

http://www.hexview.com/docs/20041012-1.txt

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RIM Blackberry buffer overflow, DoS, data loss

Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2004*10*12*1

Overview:
=========
RIM Blackberry is a Java-based wireless connectivity solution providing
phone, e-mail, and other services on a variety of handheld devices.

Affected products:
==================
All tests were performed on a RIM Blackberry 7230 with RIM Blackberry
Operating System software version 3.7.1.41. The Blackberry was synchronized
with Microsoft Exchange server using Blackberry Enterprise Server for
Microsoft Exchange.

Cause and Effect:
=================
Insufficient data validation for incoming calendar data makes possible
to cause buffer overflow condition leading to stack corruption. As a result,
it is possible to reboot the device (all stored messages will be lost since
RAM storage will be reinitialized). It is also possible to execute code
embedded by the attacker. It should be mentioned that Blackberry developers
tools are freely available.

Demonstration:
==============
The issue can easily be reproduced by sending a standard Microsoft Outlook
meeting request message with very long string (over 128K) in the "Location:"
field. To force immediate user notification, set meeting date/time to the
past. The Blackberry reboots when it tries to notify the user. No user action
is required. It is possible to render Blackberry device completely useless by
queuing a number of such messages into user's mailbox.

Vendor Status:
==============
At the time of release vendor was not aware of the vulnerability.
HexView does not notify vendors unless there is a prior agreement to do so.
Vendors interested in receiving notifications prior to public disclosure
or more detailed analysis may obtain more information by writing to the
e-mail address provided at the end of the document.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade.
The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. The chances are you read our
advisories or disclosures. For more information visit http://www.hexview.com

Distribution:
=============
This document may be freely distributed through any channels as long as the
contents are kept unmodified. Commercial use of the information in the document
is not allowed without written permission from HexView signed by our pgp key.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at [email address]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBbK9nDPV1+KQrDqQRArKsAJ4stRTmdeFBgpBdfedf6x zQQOBMUQCglAkq
l6I2a5IKd4TXp1SMQolcuao=
=pqy8
-----END PGP SIGNATURE-----
Offline  
Old 10-13-2004, 09:40 PM   #2 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

i will say that the security group that found this vulnerability are assholes. thats absolutely incredible that they would not notify RIM before releasing the security advisory...
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Old 10-13-2004, 11:48 PM   #3 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2004
Location: 92658
Model: 7290, 7280
Posts: 73
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

anyone want to try this?



.
Offline  
Old 10-14-2004, 12:23 AM   #4 (permalink)
Thumbs Must Hurt
 
emale's Avatar
 
Join Date: Sep 2004
Model: 8800
Carrier: Rogers
Posts: 156
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Tried with outlook, but it wouldnt let me put that much data in the location field...
Offline  
Old 10-14-2004, 01:03 PM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Aug 2004
Posts: 128
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

HexView's allegations are false. Here is what RIM is saying:

Information

A HexView advisory published on October 12, 2004 identified an issue in BlackBerry handheld software version 3.7 Service Pack 1 that is known to Research In Motion and has already been corrected in BlackBerry handheld software version 3.8 and later.

The HexView advisory correctly identifies a scenario that can be manufactured to cause a handheld to reset, but Research In Motion believes that the advisory contains several incorrect conclusions about the potential impact of the issue. While exploiting the software issue could cause a handheld to reset, it does not constitute a buffer overflow or data loss vulnerability. As of this time, Research In Motion has not received any customer reports of this issue being exploited in practice.

Background

HexView published a brief advisory October 12, 2004. HexView's policy at that time was not to contact vendors in advance unless a vendor has a prior agreement with HexView. As such, Research In Motion was not notified, in advance, and was not able to provide any feedback to HexView in advance of their release. RIM has since contacted HexView and HexView was helpful in assisting RIM.

In its advisory, HexView points out the issue can be created by sending a Microsoft Outlook meeting request message with a large string, over 128KB, in the Location field. It is important to note that Microsoft Outlook limits the size of the Location field to 255 characters, or bytes, so a large Location field cannot be normally or inadvertently created. Nonetheless, Research In Motion has replicated the issue defined by HexView on handhelds running handheld software version 3.7 Service Pack 1 software and confirmed a handheld reset can occur. However, Research In Motion believes the additional conclusions in the advisory are incorrect. Specifically:

a buffer overflow and stack corruption do not occur;

stored messages and user data are not lost these are stored in non-volatile Flash memory - not RAM; and

malicious code cannot be embedded and executed on the device.

In actuality, a watchdog timer causes the handheld to reset.

Actions


Research In Motion has previously implemented a fix to address the reset issue described above in the most recent handheld software version 3.8 and version 4.0.

RIM also plans to implement a further safeguard at the server level in BlackBerry Enterprise Server version 4.0, as well as future revisions of BlackBerry Enterprise Server version 3.6 for Microsoft Exchange and BlackBerry Enterprise Server for IBM Lotus Domino version 2.2, that will prevent artificially large or problematic meeting request messages from being delivered to the handheld, thereby eliminating the need for handheld software to be upgraded to version 3.8 or version 4.0.
Offline  
Old 10-14-2004, 01:30 PM   #6 (permalink)
BBF Veteran User
 
Join Date: Aug 2004
Location: Hotwiring another Cessna
Model: OU812
Carrier: Nintendo
Posts: 3,492
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Corrected in 3.8? As far as I know it's only released for 7100 so far.
Offline  
Old 10-14-2004, 03:10 PM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2004
Model: 7290V
Carrier: Vodafone
Posts: 17
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by bfrye
Corrected in 3.8? As far as I know it's only released for 7100 so far.
As far as I understand the message from RIM, they will do some work on the serversoftware, so there will be no need to updaute to handheldsoftware 3.8. or 4.0

BTW RIM has a statement on their website now about this:

http://www.blackberry.com/knowledgec...3&vernum=0
Offline  
Old 10-14-2004, 04:06 PM   #8 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

http://www.hexview.com/docs/20041014-1.txt
__________________
In the beginning the Universe was created. This has made a lot of people very angry and is widely regarded as a bad move.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.