BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-14-2004, 03:32 PM   #1 (permalink)
New Member
 
Join Date: Sep 2004
Posts: 8
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default RIM Blackberry buffer overflow, DoS, data loss

Please Login to Remove!

Found this over at Engadget.

Quote:

Cause and Effect:
=================
Insufficient data validation for incoming calendar data makes possible
to cause buffer overflow condition leading to stack corruption. As a result,
it is possible to reboot the device (all stored messages will be lost since
RAM storage will be reinitialized). It is also possible to execute code
embedded by the attacker.
Offline  
Old 10-14-2004, 03:54 PM   #2 (permalink)
Knows Where the Search Button Is
 
Join Date: Aug 2004
Model: 7290V
Carrier: Vodafone
Posts: 17
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You should read http://www.hexview.com/docs/20041014-1.txt

They are the original source and have corrected their earlier message.

Boheme
Offline  
Old 10-14-2004, 06:49 PM   #3 (permalink)
Retired BBF Moderator
 
Mark Rejhon's Avatar
 
Join Date: Aug 2004
Location: Ottawa, Ontario, Canada
Model: Bold
Carrier: Rogers
Posts: 4,870
Post Thanks: 1
Thanked 0 Times in 0 Posts
Default

RIM provided a fix in newer OS. Vulnerability downgraded to MEDIUM.

Original engadget has error. No buffer overflow condition, no loss of data -- just a device reboot because a watchdog timer times out.

There's almost no RAM in a BlackBerry -- messages are stored in flash ROM "on the fly", and messages are not lost during a reboot or battery removable.
__________________
Thanks,
Mark Rejhon
Author of XMPP extension XEP-0301:
www.xmpp.org/extensions/xep-0301.html - specification
www.realjabber.org - open source
Offline  
Old 10-15-2004, 11:05 AM   #4 (permalink)
New Member
 
Join Date: Sep 2004
Model: 8700
Carrier: Rogers
Posts: 13
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

has RIM documented this on their site somewhere? If so, do you have a link?
Offline  
Old 10-15-2004, 11:59 AM   #5 (permalink)
CrackBerry Addict
 
ScOObydoo's Avatar
 
Join Date: Aug 2004
Model: Curve
Carrier: tmo
Posts: 829
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

You have to wonder what kind of searches these folks do in order to find bugs like this :D
Offline  
Old 10-15-2004, 01:21 PM   #6 (permalink)
New Member
 
Join Date: Sep 2004
Model: 8700
Carrier: Rogers
Posts: 13
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I guess I should have clarified what I was looking for, Is there documentation on the fix?

JJ
Offline  
Old 10-15-2004, 01:24 PM   #7 (permalink)
New Member
 
Join Date: Sep 2004
Model: 8700
Carrier: Rogers
Posts: 13
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Found it:
http://www.blackberry.com/knowledgec...3&vernum=0

JJ
Offline  
Old 10-15-2004, 02:53 PM   #8 (permalink)
CrackBerry Addict
 
sempai's Avatar
 
Join Date: Sep 2004
Location: Providence, RI, US
Model: 8xxx
Carrier: T-Mobile, US
Posts: 728
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ScOObydoo
You have to wonder what kind of searches these folks do in order to find bugs like this :D
Do you really want to know?

I'm a vulnerability researcher by day.
__________________
Offline  
Old 10-15-2004, 03:29 PM   #9 (permalink)
BlackBerry God
 
jibi's Avatar
 
Join Date: Oct 2004
Location: Jibi's Secret Place
Model: 8900
OS: 4.6.1.174
Carrier: AT&T
Posts: 11,310
Post Thanks: 0
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by sempai
Quote:
Originally Posted by ScOObydoo
You have to wonder what kind of searches these folks do in order to find bugs like this :D
Do you really want to know?

I'm a vulnerability researcher by day.
actually, i am curious.
Offline  
Old 10-15-2004, 03:46 PM   #10 (permalink)
CrackBerry Addict
 
sempai's Avatar
 
Join Date: Sep 2004
Location: Providence, RI, US
Model: 8xxx
Carrier: T-Mobile, US
Posts: 728
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I haven't done any work with BlackBerry devices other than some forensics to recover data from dead and fried BlackBerry devices.

But there are people that just spend their day finding out new ways to break things in order to make the world a safer place.

As for getting notifications about this, there are tons of people that put this information out, and most people that work in this space aggregate all of it and have to read everything, every single day!

If you wanted to know about security problems with BlackBerry devices and didn't want to deal with everything else, you could probably setup a Google Alert for BlackBerry RIM Vulnerability.

I'm wondering if I am even answering the question the right way.
__________________
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.