-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121030)
Date: 30th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: RIM BlackBerry PlayBook OS 1.0.8.6067 <http://www.rim.com/products/blackberry_tablets.shtml>
Vendor: RIM <http://www.rim.com/>
Risk: Low

Summary

The web browser which comes as part of the RIM BlackBerry PlayBook OS
can be tricked into disclosing the contents of local files through the
planting of a malicious HTML file through the standard download mechanism.  
It should be noted that in order to exploit this issue, user interaction
is required as the user will need to confirm the download of the malicious
HTML file.

After discussions with the vendor, CVE-2012-5828 was assigned to this
vulnerability.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

Technical Details

It was identified that the PlayBook web browser could be forced to download
rather than render HTML files and that whilst the browser does prompt the
user to confirm the location of the download, this download process defaults
to an attacker chosen location.

Furthermore, once downloaded, it is possible to use the "Location" header to
load the file from the attacker's chose location using the "file://" URL
handler in such a manner that the downloaded HTML then has trusted access to
the PlayBook filing system.

It is possible to craft a HTML download which when opened will lead to arbitrary
JavaScript being executed in the local context.  The "file://" URL handler is
trusted to execute across domains.

History

On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue
to representatives of RIM.  BBSIRT responded on the 20th to confirm that they
had recieved the report and were investigating.

RIM further notified Nth Dimension to confirm that all reported vulnerabilities
were handled based on CVSS and that only critical vulnerabilities were deemed
candidates for out-of-band patching.  Less critical issues would however be
addressed in future product updates.

Nth Dimension responded on 7th March 2012 to confirm that they agreed with
this approach and that in their opinion the issue was not critical and did
not warrant an expedited response.  Nth Dimension asked to be kept in the
loop regarding the release of a patch for this issue in due course.

On 19th September 2012, Nth Dimension asked for an update, in particular to
establish whether a CVE had been assigned by RIM for this issue.

On 1st November 2012, RIM responded to say that the "The changes for the issues
are in the latest 2.1 builds for PlayBook.  The build is currently available
for WiFi only PlayBooks and we’re working with our carrier partners for testing
and availability for build for the in-market cellular-enabled PlayBooks".

On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They
also confirm they believe testing of cellular PlayBooks will be completed
by the end of the month.

Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date.

Current

As of 1st Novmeber 2012, the state of the vulnerability is believed to
be as follows.  RIM have begun shipping a patch which it is believed
successfully resolves the reported issue.

Thanks

Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQuU6xAAoJEPJhpTVyySo7xcoQAM7KB/2KYIq/IElrO15jr/hH
8Pytj9Q+k0VTmousVUWs5EP+uurZ28dGH8QNdsBv/kmp9M6gPQbex38pVVp+UJxh
DcVoGhVJLsrzATQH+1LH/zVVkV4idERSQvGMjbikHWMdObfr6H37iN/UwK1+O27T
tFQkIbM/rRNZk/OUz+B25D+2C53tdjTsCStkbnmYXKBlMYf0h3M28sFR3bcB5mBg
MFNO7Vr/t16NdFRN+MPgfiRZTATH2gCqklMoe8rmQbu+Fumf1+7T5jlnXORUIiUb
tTKvDjw9o0dL513b58JuIsheiyx0IlvGo4RyfXfWRAZaZiTPSnbzPwl83Bj1JpW+
PJ4Z+4yKcwQcRIfvCDH6vc8o4uMTM7g9SMuLxZBoZN3mFUAOLwy9wJde+w8bmpFA
Z6KWtmzcAlt1QoRhNPS8s+udMc1HSXKpyNjTdaqEmhjVNReDeIp+mrOnlYENa4k+
86LyOMlil00B+dCnt76/s3T/Q+briWgLgY7KrZlVIIoRzliTn3Oy0Rd7SIRJgoV6
bK5/W8q1uFEEF1kdy1Q3/08CFxIkWKgB6QCfa0iY5q+nNl5V6SjqAaxsesB/zcnS
aD6OjWz+j9ZFs1nounIWZrGygLRVt3C/liLfR7JiAGux518mRz87uOedd+0TtBUh
O7FtQ/d4H990AomSBivi
=DyJj
-----END PGP SIGNATURE-----