exploit the possibilities

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access
Posted Dec 1, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file.

tags | advisory, web, local
advisories | CVE-2012-5828
MD5 | ba5ca11c119d8b3288db7ea508cff6aa

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121030)
Date: 30th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: RIM BlackBerry PlayBook OS 1.0.8.6067 <http://www.rim.com/products/blackberry_tablets.shtml>
Vendor: RIM <http://www.rim.com/>
Risk: Low

Summary

The web browser which comes as part of the RIM BlackBerry PlayBook OS
can be tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism.
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.

After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

Technical Details

It was identified that the PlayBook web browser could be forced to download
rather than render HTML files and that whilst the browser does prompt the
user to confirm the location of the download, this download process defaults
to an attacker chosen location.

Furthermore, once downloaded, it is possible to use the "Location" header to
load the file from the attacker's chose location using the "file://" URL
handler in such a manner that the downloaded HTML then has trusted access to
the PlayBook filing system.

It is possible to craft a HTML download which when opened will lead to arbitrary
JavaScript being executed in the local context. The "file://" URL handler is
trusted to execute across domains.

History

On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue
to representatives of RIM. BBSIRT responded on the 20th to confirm that they
had recieved the report and were investigating.

RIM further notified Nth Dimension to confirm that all reported vulnerabilities
were handled based on CVSS and that only critical vulnerabilities were deemed
candidates for out-of-band patching. Less critical issues would however be
addressed in future product updates.

Nth Dimension responded on 7th March 2012 to confirm that they agreed with
this approach and that in their opinion the issue was not critical and did
not warrant an expedited response. Nth Dimension asked to be kept in the
loop regarding the release of a patch for this issue in due course.

On 19th September 2012, Nth Dimension asked for an update, in particular to
establish whether a CVE had been assigned by RIM for this issue.

On 1st November 2012, RIM responded to say that the "The changes for the issues
are in the latest 2.1 builds for PlayBook. The build is currently available
for WiFi only PlayBooks and we’re working with our carrier partners for testing
and availability for build for the in-market cellular-enabled PlayBooks".

On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They
also confirm they believe testing of cellular PlayBooks will be completed
by the end of the month.

Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date.

Current

As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows. RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.

Thanks

Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH
8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh
DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T
tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg
MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb
tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+
PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp+mrOnlYENa4k+
86LyOMlil00B+dCnt76/s3T/Q+briWgLgY7KrZlVIIoRzliTn3Oy0Rd7SIRJgoV6
bK5/W8q1uFEEF1kdy1Q3/08CFxIkWKgB6QCfa0iY5q+nNl5V6SjqAaxsesB/zcnS
aD6OjWz+j9ZFs1nounIWZrGygLRVt3C/liLfR7JiAGux518mRz87uOedd+0TtBUh
O7FtQ/d4H990AomSBivi
=DyJj
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    22 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    2 Files
  • 23
    Jun 23rd
    1 Files
  • 24
    Jun 24th
    23 Files
  • 25
    Jun 25th
    19 Files
  • 26
    Jun 26th
    10 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close