what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access
Posted Dec 1, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file.

tags | advisory, web, local
advisories | CVE-2012-5828
SHA-256 | 689b8d28b8e18196499d4e2793fe9980e7a00f2c1dcba64139cd3a89737e5628

RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121030)
Date: 30th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: RIM BlackBerry PlayBook OS 1.0.8.6067 <http://www.rim.com/products/blackberry_tablets.shtml>
Vendor: RIM <http://www.rim.com/>
Risk: Low

Summary

The web browser which comes as part of the RIM BlackBerry PlayBook OS
can be tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism.
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.

After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

Technical Details

It was identified that the PlayBook web browser could be forced to download
rather than render HTML files and that whilst the browser does prompt the
user to confirm the location of the download, this download process defaults
to an attacker chosen location.

Furthermore, once downloaded, it is possible to use the "Location" header to
load the file from the attacker's chose location using the "file://" URL
handler in such a manner that the downloaded HTML then has trusted access to
the PlayBook filing system.

It is possible to craft a HTML download which when opened will lead to arbitrary
JavaScript being executed in the local context. The "file://" URL handler is
trusted to execute across domains.

History

On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue
to representatives of RIM. BBSIRT responded on the 20th to confirm that they
had recieved the report and were investigating.

RIM further notified Nth Dimension to confirm that all reported vulnerabilities
were handled based on CVSS and that only critical vulnerabilities were deemed
candidates for out-of-band patching. Less critical issues would however be
addressed in future product updates.

Nth Dimension responded on 7th March 2012 to confirm that they agreed with
this approach and that in their opinion the issue was not critical and did
not warrant an expedited response. Nth Dimension asked to be kept in the
loop regarding the release of a patch for this issue in due course.

On 19th September 2012, Nth Dimension asked for an update, in particular to
establish whether a CVE had been assigned by RIM for this issue.

On 1st November 2012, RIM responded to say that the "The changes for the issues
are in the latest 2.1 builds for PlayBook. The build is currently available
for WiFi only PlayBooks and we’re working with our carrier partners for testing
and availability for build for the in-market cellular-enabled PlayBooks".

On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They
also confirm they believe testing of cellular PlayBooks will be completed
by the end of the month.

Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date.

Current

As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows. RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.

Thanks

Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH
8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh
DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T
tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg
MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb
tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+
PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp+mrOnlYENa4k+
86LyOMlil00B+dCnt76/s3T/Q+briWgLgY7KrZlVIIoRzliTn3Oy0Rd7SIRJgoV6
bK5/W8q1uFEEF1kdy1Q3/08CFxIkWKgB6QCfa0iY5q+nNl5V6SjqAaxsesB/zcnS
aD6OjWz+j9ZFs1nounIWZrGygLRVt3C/liLfR7JiAGux518mRz87uOedd+0TtBUh
O7FtQ/d4H990AomSBivi
=DyJj
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close