Authentication Bypass Bug Fixed in BlackBerry Z10

There’s a remotely exploitable authentication bypass vulnerability in the BlackBerry Z10 phone that affects the service that lets users share files with machines on a wireless network. The bug could allow an attacker to steal users’ personal data or hit them with targeted malware.

The Z10 is one of BlackBerry’s top tier devices and includes a feature that separates personal and corporate data and also supports encryption. The device also includes a service that enables users to do ad-hoc file sharing with devices on nearby wireless networks. Researchers at Modzero in Switzerland discovered a vulnerability that allows an attacker to bypass the authentication mechanism that protects that service.

“The mobile phone offers a  network service (‘Storage and Access’) for adhoc file-exchange between the phone and a network client. To achieve these goals, the mobile device deploys a Samba fileserver, which  can  be used  to  upload  or download  files  to  or from  the Blackberry phone. To enable fileserver access from wireless networks, the user has to explicitly enable  ‘Access using Wi-Fi’ on the phone. Afterwards, the Z10 asks the  user to  enter a password that  is required to get access to  the   fileserver,” the Modzero advisory says.

“The fileserver implementation or the password handling that is used on the Z10 is affected by an authentication by-pass vulnerability.”

“The fileserver implementation or the password handling that is used on the  Z10 is affected by an authentication by-pass vulnerability:  The fileserver fails to ask  for a password  and allows unauthenticated users  to obtain read and write access to the offered shares. The severity is considered medium to  high, as an attacker may be  able to distribute targeted malware or access confidential data.”

The researchers discovered two methods for exploiting the vulnerability, but they said that the condition is not always reproducible and may take several attempts to show up.

“The problem occurs, when “Sharing via  Wi-Fi” has been enabled on the Z10. The “Storage and  Access” dialog of the Z10 asks  the user for a password that shall  be used to access data on  the fileserver. Under certain circumstances, the fileserver fails to ask for a password and allows  access even without specifying  credentials. This behaviour does not always  occur but is reproducible within at  most one of ten different tries via Wi-Fi,” the advisory says.

“The  first   approach  let  users  access  the fileserver via the wireless LAN interface without using the developer mode, which  is the most  common scenario. The second  approach gives access via USB cable. In this  second approach, the developer mode is activated to enable  TCP/IP communication via USB.  The second method is more reliable for reproducing the effect and for tracking down the root cause.”

BlackBerry has produced a patch for the vulnerability and pushed it to carriers.

Provided from: threatpost.