what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2009-01-12.1

iDEFENSE Security Advisory 2009-01-12.1
Posted Jan 14, 2009
Authored by iDefense Labs, Sean Larsson | Site idefense.com

iDefense Security Advisory 01.12.09 - Remote exploitation of a heap overflow vulnerability in Research In Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an attacker to execute arbitrary code with the privileges of the affected service, usually SYSTEM. The vulnerability occurs when parsing a certain stream inside of a PDF file. During parsing, a heap buffer is filled up with without properly checking to see whether the buffer is large enough to hold the current value. By inserting a large number of values, it is possible to overflow the buffer, and corrupt object pointers. This can lead to pointers being controlled, which results in the execution of arbitrary code. iDefense has confirmed the existence of this vulnerability in BlackBerry Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the most current version, as of the publishing of this report. This vulnerability was confirmed in BlackBerry Enterprise Server for Microsoft Exchange, but is believed to affect the Lotus and Novell versions as well. Previous versions may also be affected.

tags | advisory, remote, overflow, arbitrary
SHA-256 | 088ad6b29c5080b1d10d96f654db6a53804b4e7c72ffc0fb13352281510e21ab

iDEFENSE Security Advisory 2009-01-12.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Research In
Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an
attacker to execute arbitrary code with the privileges of the affected
service, usually SYSTEM.

The vulnerability occurs when parsing a certain stream inside of a PDF
file. During parsing, a heap buffer is filled up with without properly
checking to see whether the buffer is large enough to hold the current
value. By inserting a large number of values, it is possible to
overflow the buffer, and corrupt object pointers. This can lead to
pointers being controlled, which results in the execution of arbitrary
code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must email an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

Exploitation of heap overflow vulnerabilities on modern operating
systems can be difficult due to heap integrity checks. However, the
code in the PDF Distiller offers a wide variety of application specific
targets for overwriting. By sculpting the heap it is possible place
pointers in the buffer and use these to gain arbitrary code execution.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
2. Click the Attachment Server tab.
3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
4. Click Apply.
5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
2. Click the Attachment Server tab.
3. In the Configuration Option drop-down list, select Attachment Server.
4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
5. Click Apply.
6. Click OK.
7. On the Windows Desktop, in Administrative Tools, open Services.
8. Right-click BlackBerry Attachment Service and click Stop.
9. Right-click BlackBerry Attachment Service and click Start.
10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

1. On the Windows Desktop, in Administrative Tools, open Services.
2. Right-click BlackBerry Dispatcher and click Stop.
3. Right-click BlackBerry Dispatcher and click Start.
4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

1. Open the IBM Lotus Domino Administrator.
2. Click the Server tab.
3. Click the Status tab.
4. Click Server Console.
5. In the Domino Command field, type tell BES quit and press ENTER.
6. In the Domino Command field, type load BES and press ENTER.
7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

RIM has released a patch which addresses this issue. For more
information, consult their advisories at the following URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008 Initial Vendor Notification
12/17/2008 Initial Vendor Reply
12/17/2008 PoC Code Provided To Vendor
12/17/2008 Request Additional Information
01/06/2009 Additional Vendor Feedback
01/12/2009 Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbPEtbjs6HoxIfBkRArA9AKC+HHRI4yTyX1qfKI3Risx2rBLebQCgov2e
h0GBEHCHYZuz6nAR3JE3DEA=
=0wb6
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close