Low severity flaw in RIM BlackBerry PlayBook OS browser
--nextPart1489539.Y2DYlcvkAJ
Content-Type: multipart/mixed;
boundary="Boundary-01=_r+UuQfPQQbSIjeK"
Content-Transfer-Encoding: 7bit
--Boundary-01=_r+UuQfPQQbSIjeK
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Summary
The web browser which comes as part of the RIM BlackBerry PlayBook OS can b=
e=20
tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism. =
=20
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.
After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.
Current
As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows. RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.
Thanks
Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
=2D-=20
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
--Boundary-01=_r+UuQfPQQbSIjeK
Content-Type: text/plain;
charset="us-ascii";
name="NDSA20121030.txt.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="NDSA20121030.txt.asc"
=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nth Dimension Security Advisory (NDSA20121030)
Date: 30th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: RIM BlackBerry PlayBook OS 1.0.8.6067 <http://www.rim.com/products=
/blackberry_tablets.shtml>
Vendor: RIM <http://www.rim.com/>
Risk: Low
Summary
The web browser which comes as part of the RIM BlackBerry PlayBook OS
can be tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism. =
=20
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.
After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.
Solutions
Nth Dimension recommends that the vendor supplied patches should be applied.
Technical Details
It was identified that the PlayBook web browser could be forced to download
rather than render HTML files and that whilst the browser does prompt the
user to confirm the location of the download, this download process defaults
to an attacker chosen location.
=46urthermore, once downloaded, it is possible to use the "Location" header=
to
load the file from the attacker's chose location using the "file://" URL
handler in such a manner that the downloaded HTML then has trusted access to
the PlayBook filing system.
It is possible to craft a HTML download which when opened will lead to arbi=
trary
JavaScript being executed in the local context. The "file://" URL handler =
is
trusted to execute across domains.
History
On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue
to representatives of RIM. BBSIRT responded on the 20th to confirm that th=
ey
had recieved the report and were investigating.
RIM further notified Nth Dimension to confirm that all reported vulnerabili=
ties
were handled based on CVSS and that only critical vulnerabilities were deem=
ed
candidates for out-of-band patching. Less critical issues would however be
addressed in future product updates.
Nth Dimension responded on 7th March 2012 to confirm that they agreed with
this approach and that in their opinion the issue was not critical and did
not warrant an expedited response. Nth Dimension asked to be kept in the
loop regarding the release of a patch for this issue in due course.
On 19th September 2012, Nth Dimension asked for an update, in particular to
establish whether a CVE had been assigned by RIM for this issue.
On 1st November 2012, RIM responded to say that the "The changes for the is=
sues
are in the latest 2.1 builds for PlayBook. The build is currently available
for WiFi only PlayBooks and we=E2=80=99re working with our carrier partners=
for testing
and availability for build for the in-market cellular-enabled PlayBooks".
On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They
also confirm they believe testing of cellular PlayBooks will be completed
by the end of the month.
Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date.
Current
As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows. RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.
Thanks
Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH
8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh
DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T
tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg
MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb
tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+
PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp+mrOnlYENa4k+
86LyOMlil00B+dCnt76/s3T/Q+briWgLgY7KrZlVIIoRzliTn3Oy0Rd7SIRJgoV6
bK5/W8q1uFEEF1kdy1Q3/08CFxIkWKgB6QCfa0iY5q+nNl5V6SjqAaxsesB/zcnS
aD6OjWz+j9ZFs1nounIWZrGygLRVt3C/liLfR7JiAGux518mRz87uOedd+0TtBUh
O7FtQ/d4H990AomSBivi
=3DDyJj
=2D----END PGP SIGNATURE-----
--Boundary-01=_r+UuQfPQQbSIjeK--
--nextPart1489539.Y2DYlcvkAJ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAABCAAGBQJQuU+rAAoJEPJhpTVyySo79EMP/RCXYkhmn0r3wok2Xu477EtH
+XqaMAZrSJfc/PoCzTwZ39H0Vfb1vmALwqIIVSyuQ1Tl3FTqGdtarXLjeSd2+aQ8
bDg8XJ9GbWjsbkfaqojF0TmZS6d9urblBInE/9vgilE4T7xuj8VEHw90hjGMSP0V
BOyRjem/P29INV31heYiQHedgQhmvaiiLSa8OD/guv7vx+CbBZXR+RRH68ra8d5y
D6K6ACK+cioK7Ap+wjiWzjjImo3RPwk72FWC77vXdNPSkBwqtCJ+jQrqW8rxN/Xt
mtyfJWJcw6smJOyd2Db6Am8/NNlsM8iPf/km4Qf8IMXQf3uInpK2S7njx2qONTk/
wPqLaU/mx6SkyHEiMN1DWdaW1czsAKiqCg6EMKMIQXoC9Va0IOmuPo82ztjcmyg7
nVQ7aYW7fmYBh1UEjIr6TrYtBxs+2wufSusyhFiajZIEaoBvtuCO1K8lffS/Ti7u
6pABNo5qOFIFWduQgIaR6lnJq8AImj+p2JVSat/y5pZ0eSvH6iiwxegKxfX4zZYY
ZhLRqNX51C+JB8wqzkfzHiuQ7jFsvKVr8EEQM/xCifWOdl2NrEtuLQwwZ7PHlTA1
VJY/z3JHOdSkxRuJLhUsftF40imQaisJNKBc8J9NvLRRc0N9LK3rQoAGhpBnrcVO
gRMKsIiW/Q4Uh9DLOwHF
=+Q+0
-----END PGP SIGNATURE-----
--nextPart1489539.Y2DYlcvkAJ--