#; BlackBerry Z10 Authentication Bypass Vulnerability

1. BlackBerry Z10 Authentication Bypass Vulnerability
2. ========================================================
3. Fecha 2014-08-14
4. Categoria web applications
5. Platforma hardware
6. Riesgo [<font color="#FFFF00">RIESGO DE SEGURDAD MediO</font>]
7. CVE CVE-2014-2388
8. ========================================================
9.  
10. BlackBerry Z10 Authentication Bypass Vulnerability
11.  
12. ---------------------------------------------------------------------
13.  
14. ---------------------------------------------------------------------
15.  
16. 1. Timeline
17.  
18. ---------------------------------------------------------------------
19.  
20. * 2013-06-23: Vendor has been contacted.
21. * 2013-06-24: Vendor response.
22. * 2013-06-27: Vendor meeting and information exchange.
23. * 2013-08-20: Advisory and more details sent to the vendor.
24. * 2013-10-15 or after patch-release: Advisory will be published.
25. * 2013-12-05: Vendor requested delay of release, until a high level
26. of carrier uptake has been achieved.
27. * 2014-04-02: Vulnerabilities were fixed, but vendor requested delay
28. of release, until a higher level of carrier uptake has
29. been achieved.
30. * 2014-08-11: Vendor achieved sufficient customer availability for
31. this issue and announced release on August 12th, 2014.
32. * 2014-08-12: Release of security advisory in cooperation with
33. vendor.
34.  
35. ---------------------------------------------------------------------
36.  
37. 2. Summary
38.  
39. ---------------------------------------------------------------------
40.  
41. Vendor: BlackBerry
42.  
43. Products known to be affected:
44. * Blackberry Z10 model STL100-2
45. Software release: 10.1.0.2312
46. OS version: 10.1.0.2354
47. Build ID: 524717
48.  
49. Severity: Medium
50. Remote exploitable: Yes
51. CVE: CVE-2014-2388
52.  
53. The mobile phone offers a network service ("Storage and Access") for
54. adhoc file-exchange [1] between the phone and a network client [2].
55. To achieve these goals, the mobile device deploys a Samba fileserver,
56. which can be used to upload or download files to or from the
57. Blackberry phone. To enable fileserver access from wireless networks,
58. the user has to explicitly enable "Access using Wi-Fi" on the phone.
59. Afterwards, the Z10 asks the user to enter a password that is
60. required to get access to the fileserver. The fileserver
61. implementation or the password handling that is used on the Z10 is
62. affected by an authentication by-pass vulnerability: The fileserver
63. fails to ask for a password and allows unauthenticated users to
64. obtain read and write access to the offered shares. The severity is
65. considered medium to high, as an attacker may be able to distribute
66. targeted malware or access confidential data.
67.  
68. ---------------------------------------------------------------------
69.  
70. 3. Details
71.  
72. ---------------------------------------------------------------------
73.  
74. The problem occurs, when "Sharing via Wi-Fi" has been enabled on the
75. Z10. The "Storage and Access" dialog of the Z10 asks the user for a
76. password that shall be used to access data on the fileserver. Under
77. certain circumstances, the fileserver fails to ask for a password and
78. allows access even without specifying credentials. This behaviour
79. does not always occur but is reproducible within at most one of ten
80. different tries via Wi-Fi.
81.  
82. The following lists describe the steps of different methods to
83. reproduce the issue. The fist approach let users access the
84. fileserver via the wireless LAN interface without using the developer
85. mode, which is the most common scenario. The second approach gives
86. access via USB cable. In this second approach, the developer mode is
87. activated to enable TCP/IP communication via USB. The second method
88. is more reliable for reproducing the effect and for tracking down the
89. root cause.
90.  
91. The root cause of the vulnerability is not known at the time of this
92. writing. The test was performed with an Ubuntu Linux as a network
93. client. References to specific Linux tools are presented for the sake
94. of completeness.
95.  
96. 3.1 Method 1
97.  
98. Prepare the phone:
99.  
100. 1. Disconnect all cables
101. 2. Open Settings / "Storage and Access" and make sure "Access using
102. Wi-Fi" is turned off. This is not strictly necessary, but
103. recommended to reproduce the effect.
104. 3. Power down the phone.
105.  
106. The process to reproduce the problem:
107.  
108. 1. Boot the phone.
109. 2. Enter the PIN for the SIM card.
110. 3. Enter the device password.
111. 4. Open Settings
112. 5. Open "Network Connections". Make sure that Wi-Fi is enabled and
113. the phone is a client in a wireless LAN. In the test environment,
114. the client IP address is 10.0.0.149.
115. 6. For the tests, "Mobile Hotspot" is "Not Connected" and "Internet
116. Tethering" is off. This setting is likely not critical.
117. 7. Open "Storage and Access".
118. 8. Enable "Access using Wi-Fi" on the phone. The phone will ask
119. for a password. Use a password, which you never used before
120. (for the server) to make sure, that credentials are not loaded
121. from the Gnome keychain.
122. 9. Open Nautilus with: nautilus smb://10.0.0.149
123. 10. If Nautilus fails to display a lost of shares, close Nautilus and
124. open it again.
125. 11. Try to access a share. If the server asks for a password, disable
126. "Access using Wi-Fi", reboot the phone and try again.
127.  
128. 3.2 Method 2
129.  
130. Prepare the phone:
131.  
132. 1. Connect phone to the PC via USB cable
133. 2. Open Settings / "Storage and Access" and make sure "Access using
134. Wi-Fi" is turned off.
135. 3. Power down the phone.
136.  
137. The process to reproduce the problem:
138.  
139. 1. Boot the phone.
140. 2. Enter the PIN for the SIM card.
141. 3. Enter the device password.
142. 4. Open Settings
143. 5. Open "Network Connections". Make sure that Wi-Fi is switched off,
144. "Mobile Hotspot" is "Not Connected" and "Internet Tethering" is
145. off.
146. 6. Open "Development Mode" and enable it. The phone's IP address is
147. set to 169.254.0.1.
148. 7. Wait for the message: "Developer mode active ...".
149. 8. Wait for the message: "Connected to PC ...".
150. 9. Open "Storage and Access", make sure "Access using Wi-Fi" is
151. disabled.
152. 10. Open the Gnome file browser Nautilus from the command line with:
153. nautilus smb://169.254.0.1
154. 11. If Nautilus does not show any share, close Nautilus and open it
155. again. If it is still empty, repeat the step.
156. 12. Try to open a share: Nautilus will ask for a password. Click
157. cancel. Nautilus will just ask again, press Cancel, again. This
158. is expected behavior.
159. 13. Close Nautilus
160. 14. Open Nautilus, again, and leave the Nautilus window open.
161. 15. Enable "Access using Wi-Fi" on the phone. The phone will ask for
162. a password. Use a password, which you never used before (for the
163. server) to make sure, that credentials are not stored in the Gnome
164. keychain.
165. 16. Click on a share, again. The share will be opened without asking
166. for a password.
167. 17. Disconnect share and open Nautilus again with:
168. nautilus smb://169.254.0.1
169. 18. Open a share. Nautilus will show the contents of the share.
170. 19. Create a folder and create a file.
171.  
172. Shutdown process:
173.  
174. 1. Disconnect shares
175. 2. Disable "Access using Wi-Fi" in the phone's settings.
176. 3. Shut down the phone.
177.  
178. A video of a demonstration is available at [3].
179.  
180. ---------------------------------------------------------------------
181.  
182. 4. Impact
183.  
184. ---------------------------------------------------------------------
185.  
186. The authentication by-pass results in read and write access to
187. enabled shares. Thus, sensitive data may be accessed by unauthorized
188. or malicious network clients or users. Since the share is also
189. writable, attackers are able to distribute targeted malware to
190. certain mobile-phone users.
191.  
192. ---------------------------------------------------------------------
193.  
194. 5. Workaround
195.  
196. ---------------------------------------------------------------------
197.  
198. To reduce the risks in public wireless networks, disable "Access
199. using Wi-Fi" in the "Settings / Storage and Access" dialog.
200.  
201. ---------------------------------------------------------------------
202.  
203. 6. Fix
204.  
205. ---------------------------------------------------------------------
206.  
207. Vendor provided bugfix.
208.  
209. ---------------------------------------------------------------------
210.  
211. 7. Credits
212.  
213. ---------------------------------------------------------------------
214.  
215. * David Gullasch (dagu@modzero.ch)
216. * Max Moser (mmo@modzero.ch)
217. * Martin Schobert (martin@modzero.ch)
218.  
219. ---------------------------------------------------------------------
220.  
221. 8. About modzero
222.  
223. ---------------------------------------------------------------------
224.  
225. The independent Swiss company modzero AG assists clients with
226. security analysis in the complex areas of computer technology. The
227. focus lies on highly detailed technical analysis of concepts,
228. software and hardware components as well as the development of
229. individual solutions. Colleagues at modzero AG work exclusively in
230. practical, highly technical computer-security areas and can draw on
231. decades of experience in various platforms, system concepts, and
232. designs.
233.  
234. http://modzero.ch
235.  
236. contact@modzero.ch
237.  
238. ---------------------------------------------------------------------
239.  
240. 9. Disclaimer
241.  
242. ---------------------------------------------------------------------
243.  
244. The information in the advisory is believed to be accurate at the
245. time of publishing based on currently available information. Use of
246. the information constitutes acceptance for use in an AS IS condition.
247. There are no warranties with regard to this information. Neither the
248. author nor the publisher accepts any liability for any direct,
249. indirect, or consequential loss or damage arising from use of, or
250. reliance on, this information.
251.  
252. ---------------------------------------------------------------------
253.  
254. 10. References
255.  
256. ---------------------------------------------------------------------
257.  
258. [1] Moving or copying media files and documents:
259.  
260. http://docs.blackberry.com/en/smartphone_users/deliverables/47561/als1334683894417.jsp
261. [2] How to copy files to and from a BlackBerry Z10 over a Wi-Fi
262. network: http://helpblog.blackberry.com/2013/03/copy-z10-files-wifi/
263. [3] Proof-of-Concept video: http://modzero.ch/advisories/media/mz-13-04-poc.mp4