[HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss

vuln_at_hexview.com
Date: 10/13/04

  • Next message: advisory: "BindView Advisory: Memory Leak and DoS in NT4 RPC server"
    Date: Tue, 12 Oct 2004 21:40:43 -0700
    To: full-disclosure@lists.netsys.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    RIM Blackberry buffer overflow, DoS, data loss

    Classification:
    ===============
    Level: low-med-[HIGH]-crit
    ID: HEXVIEW*2004*10*12*1

    Overview:
    =========
    RIM Blackberry is a Java-based wireless connectivity solution providing
    phone, e-mail, and other services on a variety of handheld devices.

    Affected products:
    ==================
    All tests were performed on a RIM Blackberry 7230 with RIM Blackberry
    Operating System software version 3.7.1.41. The Blackberry was synchronized
    with Microsoft Exchange server using Blackberry Enterprise Server for
    Microsoft Exchange.

    Cause and Effect:
    =================
    Insufficient data validation for incoming calendar data makes possible
    to cause buffer overflow condition leading to stack corruption. As a result,
    it is possible to reboot the device (all stored messages will be lost since
    RAM storage will be reinitialized). It is also possible to execute code
    embedded by the attacker. It should be mentioned that Blackberry developers
    tools are freely available.

    Demonstration:
    ==============
    The issue can easily be reproduced by sending a standard Microsoft Outlook
    meeting request message with very long string (over 128K) in the "Location:"
    field. To force immediate user notification, set meeting date/time to the
    past. The Blackberry reboots when it tries to notify the user. No user action
    is required. It is possible to render Blackberry device completely useless by
    queuing a number of such messages into user's mailbox.

    Vendor Status:
    ==============
    At the time of release vendor was not aware of the vulnerability.
    HexView does not notify vendors unless there is a prior agreement to do so.
    Vendors interested in receiving notifications prior to public disclosure
    or more detailed analysis may obtain more information by writing to the
    e-mail address provided at the end of the document.

    About HexView:
    ==============
    HexView contributes to online security-related lists for almost a decade.
    The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
    network applications, and embedded devices. The chances are you read our
    advisories or disclosures. For more information visit http://www.hexview.com

    Distribution:
    =============
    This document may be freely distributed through any channels as long as the
    contents are kept unmodified. Commercial use of the information in the document
    is not allowed without written permission from HexView signed by our pgp key.

    Feedback and comments:
    ======================
    Feedback and questions about this disclosure are welcome at vtalk@hexview.com

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (GNU/Linux)

    iD8DBQFBbK9nDPV1+KQrDqQRArKsAJ4stRTmdeFBgpBdfedf6xzQQOBMUQCglAkq
    l6I2a5IKd4TXp1SMQolcuao=
    =pqy8
    -----END PGP SIGNATURE-----


  • Next message: advisory: "BindView Advisory: Memory Leak and DoS in NT4 RPC server"

    Relevant Pages