[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4D3990CF.80507@tehtri-security.com>
Date: Fri, 21 Jan 2011 08:57:35 -0500
From: Laurent OUDOT at TEHTRI-Security <laurent.oudot@...tri-security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [TEHTRI-Security] CVE-2010-2599: Update your
BlackBerry
Gents,
BlackHat Washington DC has just finished, and we wanted to let you know
that RIM officially released a patch for the vulnerability found by
TEHTRI-Security in BlackBerry devices, and covered during our talk:
"Inglourious Hackerds: Targeting Web Clients".
The 0day created by TEHTRI-Security affects the BlackBerry browser
application of the following software versions:
* BlackBerry Device Software versions earlier than 6.0.0
This vulnerability has a Common Vulnerability Scoring System (CVSS)
score of 5.0 (Partial DoS in the BlackBerry browser application), but
could be used for sharp & evil purpose by those who know how to play
with such kind of stuff.
Basically, thanks to our 0day, an attacker could maliciously craft a web
page such that, when the BlackBerry device user views the page on a
device running the affected BlackBerry Device Software, the browser
application becomes unresponsive.
To quote RIM web site, the BlackBerry device subsequently terminates the
browser, and the browser eventually restarts and displays an error message.
Successful exploitation of this issue relies on the user viewing the
maliciously crafted web page on a device running the affected BlackBerry
Device Software. The impact is limited to a partial Denial of Service
(DoS) in the browser application in use on the BlackBerry device.
What was quite funny is that, with little tweaks (based on incoming
User-Agent + sizes of buffers + payloads...) our 0day also worked
against HTC Windows, Apple iPhone/iPod (CVE-2010-1752) and Google
Android devices, with different kind of results. It's all related to a
flaw in the way those devices try to handle HTML codes, based on some
concepts taken from the HTTP RFC directly...
To avoid the spread of annoying exploits, that would target customers of
Google, RIM, Apple & HTC, we only shared some information with the
vendors and during the BlackHat DC event, but our slides on BlackHat.com
will also contain part of information.
If you want to go further, here are some useful links:
- Official RIM web page dealing with our 0Day:
http://www.blackberry.com/btsc/KB24841
- BlackHat Washington DC:
https://www.blackhat.com/html/bh-dc-11/bh-dc-11-schedule.html
- Mitre CVE Entry
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2599
- Gartner.com Blog Entry about our talk @BHDC:
http://blogs.gartner.com/john_pescatore/2011/01/20/if-a-toy-breaks-in-a-work-forest-will-the-toy-vendor-hear-a-noise-and-fix-it/
- NetworkWorld Press Article about our talk @BHDC:
http://www.networkworld.com/news/2011/012011-retaliation-answer-cyber-attacks.html
- TEHTRI-Security Blog:
http://blog.tehtri-security.com/2011/01/blackhat-dc-2011-inglourious-hackerds.html
We would like to thanks the security experts of RIM who came to our talk
in Washington, and who took time there to share explanations with our
attendees in order to show how they mitigated our findings by handling
those issues with all the carriers involved worldwide (what an
incredible task).
On our side, we got technical fun by doing technical penetration tests
on those devices, and this is how we found such 0days. We do think that
basic tests are not always done properly because of consumerization,
money & time issues, etc.
Recently, we found 0days against IP Camera surveillance, etc, by doing
penetration tests. We live in world where everything has to be clean,
beautiful, quick, easy, marketable, and certified. But what about IT
Security, while everything gets more and more complex...
We now all get Certified non-Ethically Hackable...
"Good night, and Good luck."
Best regards,
Laurent OUDOT, from Washington DC, USA @BlackHatDC Briefings
( http://blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Oudot )
TEHTRI-Security - "This is not a Game."
http://www.tehtri-security.com/
http://twitter/tehtris
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists