what you don't know can hurt you

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access
Posted Dec 1, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file.

tags | advisory, web, local
advisories | CVE-2012-5828
MD5 | ba5ca11c119d8b3288db7ea508cff6aa

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121030)
Date: 30th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: RIM BlackBerry PlayBook OS 1.0.8.6067 <http://www.rim.com/products/blackberry_tablets.shtml>
Vendor: RIM <http://www.rim.com/>
Risk: Low

Summary

The web browser which comes as part of the RIM BlackBerry PlayBook OS
can be tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism.
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.

After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

Technical Details

It was identified that the PlayBook web browser could be forced to download
rather than render HTML files and that whilst the browser does prompt the
user to confirm the location of the download, this download process defaults
to an attacker chosen location.

Furthermore, once downloaded, it is possible to use the "Location" header to
load the file from the attacker's chose location using the "file://" URL
handler in such a manner that the downloaded HTML then has trusted access to
the PlayBook filing system.

It is possible to craft a HTML download which when opened will lead to arbitrary
JavaScript being executed in the local context. The "file://" URL handler is
trusted to execute across domains.

History

On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue
to representatives of RIM. BBSIRT responded on the 20th to confirm that they
had recieved the report and were investigating.

RIM further notified Nth Dimension to confirm that all reported vulnerabilities
were handled based on CVSS and that only critical vulnerabilities were deemed
candidates for out-of-band patching. Less critical issues would however be
addressed in future product updates.

Nth Dimension responded on 7th March 2012 to confirm that they agreed with
this approach and that in their opinion the issue was not critical and did
not warrant an expedited response. Nth Dimension asked to be kept in the
loop regarding the release of a patch for this issue in due course.

On 19th September 2012, Nth Dimension asked for an update, in particular to
establish whether a CVE had been assigned by RIM for this issue.

On 1st November 2012, RIM responded to say that the "The changes for the issues
are in the latest 2.1 builds for PlayBook. The build is currently available
for WiFi only PlayBooks and we’re working with our carrier partners for testing
and availability for build for the in-market cellular-enabled PlayBooks".

On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They
also confirm they believe testing of cellular PlayBooks will be completed
by the end of the month.

Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date.

Current

As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows. RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.

Thanks

Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH
8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh
DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T
tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg
MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb
tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+
PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp+mrOnlYENa4k+
86LyOMlil00B+dCnt76/s3T/Q+briWgLgY7KrZlVIIoRzliTn3Oy0Rd7SIRJgoV6
bK5/W8q1uFEEF1kdy1Q3/08CFxIkWKgB6QCfa0iY5q+nNl5V6SjqAaxsesB/zcnS
aD6OjWz+j9ZFs1nounIWZrGygLRVt3C/liLfR7JiAGux518mRz87uOedd+0TtBUh
O7FtQ/d4H990AomSBivi
=DyJj
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close