Slashdot Mirror

← Back to Stories (view on slashdot.org)

BlackBerry TIFF Vulnerability Could Allow Access To Enterprise Server

Posted by Soulskill on from the spock-missed-some-updates dept.

Trailrunner7 writes "A vulnerability exists in some components of BlackBerry mobile devices that could grant attackers access to instances of the company's Enterprise Server (BES), according to BlackBerry, which issued an alert and released a patch for the vulnerability last week via its Knowledge Base support site. BES, the software implicated by the vulnerability, helps companies deploy BlackBerry devices. The high severity advisory involves the way the phone views Tagged Image File Format (TIFF) files, specifically the way the phone's Mobile Data System Connection Service and Messaging Agent processes and renders the images. An attacker could rig a TIFF image with malware and get a user to either view the image via a specially crafted website or send it to the user via email or instant message. The last two exploit vectors could make it so the user wouldn't have to click the link or image, or view the email or instant message, for the attack to prove successful. Once executed, an attacker could access and execute code on Blackberry's Enterprise Server."

8 of 41 comments (clear)

  1. Re:TIFF with Malware? by Anonymous Coward · · Score: 3, Informative

    Code has to run to display the image - all you need to do is format the data in a way such that the code which deals with it will end up overwriting parts of itself and then you can run whatever you want. It's very specific to a particular decoder on a particular device.

  2. Re:TIFF with Malware? by ilovepi · · Score: 2

    I don't know the means by which this particular attack is delivered. However, I know that the "unhackable" versions of Sony's PSP systems were finally hacked by a payloaded .TIFF file. I'd imagine there are some similarities, so you might want to look up how that hack worked.

  3. Re:TIFF with Malware? by drinkypoo · · Score: 2

    Yeah, it's probably a buffer overflow attack of some kind. They trusted the file to contain accurate data about itself. Advisory says "specially crafted TIFF image" which, you know, pretty much backs that up. It's a sophomoric mistake but they might not have made it alone, they might have pulled in a TIFF handling library from someone lame.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. Re:TIFF with Malware? by Sarten-X · · Score: 2

    Splatting TIFF images is a complicated matter. They're more than just mundane dumps of pixel data. In addition to just storing the image data itself, they can hold many kinds of metadata, be compressed in many ways, and all encoded in either big-endian or little-endian byte order. Any of those features might trigger vulnerable code in a parser, which might allow a buffer overflow or other vulnerability. This is similar to problems with every other complex format out there, (in)famously including JPEG and TrueType, to name a few.

    From reading TFA, it looks like the server itself is vulnerable because it processes the TIFF fully before it's re-encoded to be sent to the mobile devices. There are two vulnerabilities, both of which are buffer overflows.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  5. Re:Good news, we're all safe by mrops · · Score: 4, Interesting

    I'm guessing you are still in US where Z10 is not yet launched, however out here in Canada, I am seeing a lot of Z10 with everyone.

  6. TFA and summary are incorrect by thePowerOfGrayskull · · Score: 4, Informative

    Unsurprisingly, the summary and TFA get it wrong. The vulnerability is not in devices. "Messaging Agent" and "MDS Connection Service" are server side components - the vulnerability is there, and not on the phone.

    The phone can trigger them because web browsing on a BES-connected device goes through the MDS connection service, so a properly crafted web page can compromise the the MDS service on the server.

    Similarly, sending an email will get routed through messaging agent - which is why a crafted email can trigger this without the email being opened on the client device.

  7. Re:Good news, we're all safe by PsychoSlashDot · · Score: 4, Informative

    Interestingly enough - and not mentioned in the summary - this doesn't impact BES 10. It's only BES for legacy devices that are affected.

    --
    "Oh no... he found the .sig setting."
  8. Re:Tiff???? by PeeAitchPee · · Score: 2

    Who on earth uses Tiff anymore?

    Everyone from libraries and archives such as the Library of Congress (hi-resolution uncompressed TIFFs are the designated master file format for the National Digital Newspaper Program and the FADGI Still Image Working Group guidelines for digitizing cultural heritage materials) to document management companies and banks (as bitonal TIFFs are quite tiny compared to bloated garbage like PDF, offer great resolution of everyday office docs and checks, and work with most every imaging software written in the past 20 years). Just because *you* don't use a file format anymore doesn't mean it's useless to others.