[jibi]

Security Hole Claimed for BlackBerrys
New research released over the weekend indicated that BlackBerrys -- the ubiquitous handheld devices favored by on-the-go types -- are vulnerable to a security hole that could let attackers break in to the gadgets by convincing users to open a specially crafted image file attached to an e-mail.

The information was released at the 22nd Chaos Communication Congress hacker convention in Berlin by this guy -- "FX" of the security research group Phenoelit.



Research in Motion Ltd., the Canadian company that makes the devices, said it is a previously reported issue "that has been escalated internally to our development team. No resolution time frame is currently available." RIM's advisory downplays the threat, saying that "a corrupt Tagged Image File Format (TIFF) file sent to a user may stop a user’s ability to view attachments. There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running handheld applications to access a corporate network)."

RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat. I obviously didn't hear FX's talk, but an alert released over the weekend by US-CERT says remote code execution is possible.

RIM doesn't say when it plans to have a fix available, but for now it is urging companies who use the service to reconfigure any machine serving as an internal BlackBerry Internet Server to filter TIFF images or disable the file-attachment capability altogether.

Update, 10:27 a.m. ET: Having just spoken with FX (a.k.a Felix Lindner), I definitely feel like I understand the threat here a bit better, and it is a little more serious than I first thought. Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portal network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory. Lindner said he suspects that's because this PNG flaw is present not in the newest version of Blackberry server but in all versions from 4.0 to 4.0.1.9 (the latter was released roughly a month ago, and no doubt many companies still run that version).

Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server.

"We started looking at all of the privileges this server needs while sitting right in the middle of the network and realized we didn't know anything about it," Lindner said. "In a lot of companies, corporate managers want to install it because they want their Blackberrys, but we wanted to find out what risks are there connected to running this thing."

Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Micorosft SQL database server in plain, unencrypted text.

Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.

I put in a call to the RIM folks: Will update the post if I get a response from them directly.

[jibi]

The article speaks first about TIFF files then follows up with an update from a conversation with the security hacker concerning PNG files. There are two exploits - PNG files, which is fixed by applying 4.0 SP3, and TIFF files, which is still an open issue.

US-CERT Advisory:
http://www.kb.cert.org/vuls/id/570768

RIM KB Article for TIFF:
http://www.blackberry.com/knowledgec...nodeid=1167895

RIM KB Article for PNG:
http://www.blackberry.com/knowledgec...nodeid=1167794

[jwcanada]

Here is the latest info that I received this morning from our TAM. It appears there are 4 holes which 3 of them have a fix with the HF's in SP3. The last point they are currently working on the fix.

1. Overview - If you download a JAD file with a long descriptor (>256
characters) the dialogue box isn't properly dismissed. Referenced in
KB-04755:

http://www.blackberry.com/knowledgec...xe/fetch/2000/
8021/7925/8142/Support_-_Browser_dialogue_box_not_properly_dismissed_aft
er_downloading_a_corrupt_JAD_file.html?nodeid=1167 791



2. Overview - A specially formed PNG file may lead to arbitrary code
execution on the attachment server. Referenced in KB-04756:

http://www.blackberry.com/knowledgec...xe/fetch/2000/
8021/728075/728850/728215/Support_-_Corrupt_PNG_file_may_cause_heap_over
flow_in_the_Blackberry_Attachment_Service.html?nod eid=1167794




3. Overview - A specially formed TIFF file may lead to cause the
attachment server to crash. The attachment server will automatically
restart. Referenced in KB-04757:


http://www.blackberry.com/knowledgec...xe/fetch/2000/
8021/728075/728850/728215/Known_Issues_-_Corrupt_TIFF_file_may_cause_hea
p_overflow_resulting_in_denial_of_service_in_the_B lackberry_Attachment_S
ervice.html?nodeid=1167895




4. Overview - A malformed packet sent to the BlackBerry Router can cause
it to crash creating a denial of service. Referenced in KB-04758:


http://www.blackberry.com/knowledgec...xe/fetch/2000/
8021/728075/728850/728215/Known_Issues_-_Denial_of_service_on_the_BlackB
erry_Router.html?nodeid=1167898


The first three points above have been addressed in SP3 Hofixes.. Please
visit http://www.blackberry.com/support/do...ot_fixes.shtml to see
the release notes.

The fourth point above refers to the possible "denial of service"
attacks to the BlackBerry Router. This is the only fix that we're still
working on, and a fix should be along soon. It is important to note
that this possible attack must come from inside your environment, since
port 3101 (if configured as per our installation requirements) does NOT
allow any inbound connections.

[jwcanada]

Another update: The fix for this

4. Overview - A malformed packet sent to the BlackBerry Router can cause
it to crash creating a denial of service. Referenced in KB-04758:


http://www.blackberry.com/knowledge...exe/fetch/2000/
8021/728075/728850/728215/Known_Issues_-_Denial_of_service_on_the_BlackB
erry_Router.html?nodeid=1167898

will be release in the next SP next month.

[FlemmingRiis]

Attachment Service
*SDR 77118 Previously, the way in which the BlackBerry Attachment Service processed certain corrupt PNG files might have caused a heap
overflow. This vulnerability could have allowed for arbitrary code execution. See article number KB-04756 for more information.
*SDR 76709 Previously, the way in which the BlackBerry Attachment Service processed certain corrupt TIFF files might have caused a buffer
overflow and prevented users from viewing attachments. See article number KB-04757 for more information.
*SDR 73716 Previously, the way in which the BlackBerry Attachment Service processed certain corrupt Microsoft® Word files might have
caused a buffer overflow. This vulnerability could have allowed for arbitrary code execution. See article number KB-04791 for
more information.

from HF4 for domino.