[<prev] [next>] [day] [month] [year] [list]
Message-ID: <fe37588d0710190139s5ae7238bhcb1d7d57856c7d3e@mail.gmail.com>
Date: Fri, 19 Oct 2007 04:39:44 -0400
From: "Kristian Erik Hermansen" <kristian.hermansen@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Gmail 1.1.0 for BlackBerry remote DoS
I have tested and confirmed this bug on a BlackBerry 8700c in a
repeatable fashion. Three outcomes are common (so may be race
condition)...
1) Entire BlackBerry OS freeze. (On soft-reboot, you will see the
uncaught Java exception for Gmail app)
2) Gmail freezes for some time, and then OS can recover (Gmail not
responding, and killed)
3) Or no DoS at all (if you are lucky)
Here is the message you will get...
"Uncaught exception: Application gm_8700_v4_0_L1(147) is not
responding; process terminated"
The way I have commonly invoked this is to send an email of at least
20k in size to Exchange-synced email address on the same device. If
the user has Gmail account open, it is more likely to go into DoS
condition if you are composing an email or replying to a large thread.
Maybe this is due to Gmail trying to auto-save the draft at the same
time and hanging? Also, how is the hacker community debugging
BlackBerry apps for security issues? ie, can I remotely debug the
processes via USB on the 8700c?
Thanks in advance...
PS -- Oh, I just thought that since we are talking about BlackBerry, I
should mention another funny bug, but not a security issue. It has to
do with multi-byte character manipulation...
Tested on 8700c v4.2.1.96 (Platform 2.3.0.79). Follow these steps to
reproduce the Arabic array index out of bounds exception when making a
phone call...
Home -> Settings -> Options -> Language -> Change Option -> Arabic
(funky chars, top item in list) -> Save
Home -> [do this next part quickly] tap 9, tap 0 quickly twice, while
char is still highlighted tap DEL.
"Uncaught exception: java.lang.StringIndexOutOfBoundsException"
--
Kristian Erik Hermansen
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists