Security Holes Found In RIM BlackBerry Service

An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"

Ha!

[JonN]

That will teach them no good thiefs to use patented technology! Never know what you're gonna get

*watches the karma drop* btw I'm a RIM supporter

Re:Good thing...

[Doctor+Memory]

Um, you might want to check back more often, latest news is that the Patent Office has admitted it will probably invalidate all of the patents held by NTP that are at the heart of the BlackBerry patent dispute. This will clear the way for RIM to resume "business as usual".

READ!

[temojen]

It's a corrupt PNG (a common image file type), that may pass code to the server to be run there (as administrator), with complete access to the corporate network, including all the plain-text, non-passphrase-protected private keys of all blackberry users on the same corporate network.

If true, this is a gaping hole, and a very big deal.

Re:READ!

[garylian]

Yeah, my wife works for Mercedes, and they are telling ALL users to not open any email with any type of graphics attachment on it, not just the .tiff and .png stuff.

It is a pretty darn huge security hole, and one that shouldn't impact the home user (at least not yet) in any major fashion.

Then again, it is probably wishful thinking that Blackberry users are more technically knowledgeable than the average home user, and wouldn't open dumb emails from unsolicited sources.

Re:READ!

[ejhuff]

From TFA:

Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory.

From the top of the CERT advisory:

By causing the service to render a specially crafted TIFF file, an attacker could execute arbitrary code or cause a denial of service.

Should an exploit be developed, this arbitrary code would run inside the corporate firewall on a windows system, possibly with administrator privileges, and possibly with access to the SQL server containing the encryption keys.

From the advisory:

To disable the image attachment distiller 1. On the desktop, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Enterprise Server Configuration. 2. On the Attachment Server tab, select Attachment Server from the Configuration Option drop-down list. 3. In the Distiller Settings section of the window, clear the Enabled check box for Image Attachments. 4. Click Apply, then click OK. 5. In Microsoft Windows® Administrative Tools, double-click Services. 6. Right-click BlackBerry Attachment Service, then click Stop. 7. Right-click BlackBerry Attachment Service, then click Start. 8. Close the Services window.

Note that they disable all image attachments, not just all TIFF attachments, although they do claim they only need to disable TIFF.

In summary, the CERT advisory says it might be possible to execute arbitrary code on the server. The Blackberry advisory recommends disabling all image attachment processing on the server. No one has proved that an exploit exists to take advantage of this, but how can you know there isn't an exploit. In cases like this, the burden of proof lies with the one who claims it's safe to continue processing image attachments. Maybe there isn't a serious problem. Would you leave the attachment service running with without disabling the image attachments?

RIMjob

[digitaldc]

when I know they are hiring newbs from U of W that don't know their ass from a hole in the ground, this sort of thing is not a surprise to me!

Apparently they don't know their ass from a hole in the security, either.

Re:How could they let this slip?

[WebCrapper]

What gets me is they're using a natoriously insecure OS, with clear text values in the database... Thats just asking for more trouble than you can get in.

Job at rim?

[The_Rippa]

Who in their right mind would store that info unencrypted? It must be pretty easy these days to get a rim job.

Re:RIM

[incast]

I used to work at RIM, and if you honestly think that it is mostly staffed by 23 year olds, you are mistaken. The vast majority of folks at RIM are not fresh out of undergrad and the technical genius that does exist there is indeed very impressive (I worked on the business side, not the tech side.. and the tech guys really know what they're doing). And further, if you honestly think that Lazaridis and Balsillie run the type of place where major design decisions are made by junior people, I'm not surprised that you don't have the qualifications to get a job there.

The fact that they made a small design mistake isn't really that surprising. These things happen all the time. Their response is what's important going forward, and I (as a current BB user) have faith that they will quickly patch this up and move on.

Re:How could they let this slip?

I'm not really sure when the change happened, but the SQL server upgrade happened at version 4.0...previously the enterprise server did not use SQL. This is probably the only reason it took so long to find the flaw.

BTW version 4 is causing duplicate calendar and address book entries for lotus notes users (all 800 of our blackberries are showing this bug yah!). We are debating going back to 3.6 as 4.0 only added wireless synch for address and memo dbs for the user. Not that big of a deal to plug it into a pc once in a while vs. getting duplicate entries.

Black-and-blue-berry

[Billosaur]

Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server...

I would like to try and convince most people with a Blackberry to see if they could use it as a suppository, but I digress...

From the Washington Post: RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat.

I really don't think RIM is going to shout this from the rooftops. If the exploit is as bad as is disclosed, there's some serious trouble brewing that makes the brouhaha with NTP look like a cakewalk.

From the Washington Post: Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server.

And RIM thought this was a good idea because...? It's like building a 50-ft high wall around the castle, then creating a hole for an 8-lane superhighway to pass through. Imagine the enterprising and inventive hacker that can plant a zombie process on that machine. Talk about spam! Imagine if a Fortune 500 company starts getting nipped because their email servers are dumping spam on the unsuspecting public. Lawsuits for everyone!!

PATENT INFRINGEMENT!

[SmurfButcher+Bob]

Yep, sorry guys... this flaw is patented. Pay up!

Heh, I wasn't actually going to post that, but I had a thought... if we patented the dumbest mistakes out there (buffer overflows, etc)... what company would want to prove "prior art" ?

Sounds like SQL Injection?

[WoTG]

With the scant details provided, it sounds almost like an SQL Injection vulnerability. It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.

Anyway, can't administrators just filter all image attachments out through their AV or other software for the time being?

Re:Sounds like SQL Injection?

[cduffy]

SQL injection flaws are related to how well the application using the database is written, not the database itself. Any database-backed application can have SQL injection flaws, no matter what the underlying database, so long as the application is written by an idiot.

Listen, kids: NEVER, NEVER, NEVER pass user-provided values into your SQL queries as strings. There's a reason every database access API in existance allows positional or named parameters to be passed outside the parser, and it's not just performance.

And if I sound a little grumpy on this topic -- like maybe I'd recently worked with a developer lacking just this sort of clue... well, maybe you'd be interpreting my tone correctly.

Re:RIM

[ArsenneLupin]

The fact that they made a small design mistake isn't really that surprising.

Using a Microsoft product on a server is a small design mistake?!?! You must be new here!

Re:RIM

[99BottlesOfBeerInMyF]

The fact that they made a small design mistake isn't really that surprising. These things happen all the time.

I'm not sure you can write this off as a small design mistake. This seems to me more like a fundamental design flaw based on a series of bad choices. They want you to run a Windows based server, outside your firewall, running a number of services, with security data stored unencrypted, and full privileges to the corporate e-mail server. That sounds like someone's friend or nephew was running the server project and either would not listen to advice that things should be done right, rather than quickly, or simply was unable to hire competent personnel. This is why companies making products like these should have a security team outside each project's chain of command, and why that team should be listened to. Now, who will trust them to do the right thing next time. What security conscious company will consider them as a solution provider?

Re:More info here...

[blincoln]

I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?

The entire server backend is like that. Some of the more amusing examples:

- When it starts, it has a fixed number of threads it can use to talk to the Exchange server. Let's say it's 1000. If a thread is killed off, e.g. because it timed out, it is not returned to the pool. So over the course of a week or so, you run out of threads and the app will no longer do anything. Consequently, we now reboot the server every night.

- If you have Outlook installed on the Blackberry server, it breaks the Blackberry server software, because it will only work with a very specific nonstandard version of the MAPI DLL.

- 50% of the time when you call their support line, the answer to your question mysteriously turns out to be that your server is under too heavy of a load and you need to buy another server license. Even if the server is working fine for all but one user, or if it was working fine for everyone until you switched license keys.

Basically the entire thing is a giant Rube Goldberg contraption. The handhelds are decent for what they do, but not spectacular.