-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDefense Security Advisory 01.12.09 http://labs.idefense.com/intelligence/vulnerabilities/ Jan 12, 2009 I. BACKGROUND The BlackBerry Enterprise Server is a suite of applications used to connect enterprise email and messaging services to BlackBerry device users. It consists of a variety of applications, one of which is the Attachment Service. This application is used to convert email attachments into a format that is easily rendered on BlackBerry devices. When a user requests an attachment on their BlackBerry device, the Attachment Service will obtain the attachment, parse and convert it, and then send it to the user for viewing. The Attachment Service is capable of converting a variety of different file formats, including PDF files. This vulnerability affects the PDF filter/distiller. For more information, see the vendor's site found at the following link. http://na.blackberry.com/eng/services/server/ II. DESCRIPTION Remote exploitation of an uninitialized memory vulnerability in Research In Motion Ltd.'s BlackBerry Enterprise Server could allow an attacker to execute arbitrary code with the privileges of the affected service, which is usually SYSTEM. The vulnerability occurs when parsing a data stream inside of a PDF file. Due to a logic error, it is possible to allocate an array of object pointers that is never initialized. This array is located on the heap. When the object that contains this array is destroyed, each pointer in the array is deleted. Since the memory is never properly initialized, whatever content was previously there is used. It is possible to control the chunk of memory that gets allocated for this array, which can lead to attacker-controlled values being used as object pointers. This results in the execution of arbitrary code when these pointers are deleted. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the Attachment Service, usually SYSTEM. In order to exploit this vulnerability, an attacker must email an enterprise BlackBerry user a malicious PDF file. Then, the user must attempt to view the file on their device. It is important to note that a user must request the attachment in order to trigger the parsing. It is not possible to exploit this vulnerability in a completely automated fashion without a user asking to view the file. However, after a user has requested the attachment, no further interaction is necessary. Labs testing has demonstrated that this vulnerability is highly exploitable. It is possible to layout the heap in such a way that a previously allocated chunk of fully controllable memory is reused for the uninitialized memory clock. Code execution is then gained when this memory is used as an array of object pointers. IV. DETECTION iDefense has confirmed the existence of this vulnerability in BlackBerry Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the most current version, as of the publishing of this report. This vulnerability was confirmed in BlackBerry Enterprise Server for Microsoft Exchange, but is believed to affect the Lotus and Novell versions as well. Previous versions may also be affected. V. WORKAROUND It is possible to disable the PDF Distiller, which will prevent the conversion of PDF files by the Attachment Server. The following workaround was suggested by RIM for a previous PDF Distiller vulnerability, and has been verified to prevent the vulnerability described in this report. This workaround can be accomplished as follows: To remove the PDF file extension from the list of supported file format extensions, complete the following actions: 1. From the Windows Desktop, open the BlackBerry Server Configuration tool. 2. Click the Attachment Server tab. 3. In the Format Extensions field, delete pdf: from the colon delimited list of extensions. 4. Click Apply. 5. Click OK. After this, it is also necessary to completely disable the PDF distiller from loading, which will prevent an attacker from renaming a PDF to some other format extension. In order to do this, complete the following steps: 1. On the Windows Desktop, open the BlackBerry Server Configuration tool. 2. Click the Attachment Server tab. 3. In the Configuration Option drop-down list, select Attachment Server. 4. In the Distiller Settings section, next to the distiller name Adobe PDF, clear the check box in the Enabled column. 5. Click Apply. 6. Click OK. 7. On the Windows Desktop, in Administrative Tools, open Services. 8. Right-click BlackBerry Attachment Service and click Stop. 9. Right-click BlackBerry Attachment Service and click Start. 10. Close Services. In Microsoft Exchange and Novell GroupWise environments, complete the following additional steps: 1. On the Windows Desktop, in Administrative Tools, open Services. 2. Right-click BlackBerry Dispatcher and click Stop. 3. Right-click BlackBerry Dispatcher and click Start. 4. Close Services. In IBM Lotus Domino environments, complete the following additional steps: 1. Open the IBM Lotus Domino Administrator. 2. Click the Server tab. 3. Click the Status tab. 4. Click Server Console. 5. In the Domino Command field, type tell BES quit and press ENTER. 6. In the Domino Command field, type load BES and press ENTER. 7. Close the IBM Lotus Domino Administrator. VI. VENDOR RESPONSE Research In Motion (RIM) has released a patch which addresses this issue. For more information, consult their advisories at the following URLs: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118 http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119 VII. CVE INFORMATION A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet. VIII. DISCLOSURE TIMELINE 12/17/2008 Initial Vendor Notification 12/17/2008 Initial Vendor Reply 12/17/2008 PoC Code Provided To Vendor 12/17/2008 Request Additional Information 01/06/2009 Additional Vendor Feedback 01/12/2009 Coordinated Public Disclosure IX. CREDIT This vulnerability was discovered by Sean Larsson, iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2009 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJbQj2bjs6HoxIfBkRAvk8AKCXLr3nL6/AP++XM17670BnSZdzxgCg/dQg gB68kHgJzbwjHNQ0i/rIQDo= =b9t+ -----END PGP SIGNATURE-----