-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA20121030) Date: 30th October 2012 Author: Tim Brown URL: / Product: RIM BlackBerry PlayBook OS 1.0.8.6067 Vendor: RIM Risk: Low Summary The web browser which comes as part of the RIM BlackBerry PlayBook OS is can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file. After discussions with the vendor, CVE-2012-5828 was assigned to this vulnerability. Solutions Nth Dimension recommends that the vendor supplied patches should be applied. Technical Details It was identified that the PlayBook web browser could be forced to download rather than render HTML files and that whilst the browser does prompt the user to confirm the location of the download, this download process defaults to an attacker chosen location. Furthermore, once downloaded, it is possible to use the "Location" header to load the file from the attacker's chose location using the "file://" URL handler in such a manner that the downloaded HTML then has trusted access to the PlayBook filing system. It is possible to craft a HTML download which when opened will lead to arbitrary JavaScript being executed in the local context. The "file://" URL handler is trusted to execute across domains. History On 12th February 2012, Nth Dimension supplied a PoC exploit for this issue to representatives of RIM. BBSIRT responded on the 20th to confirm that they had recieved the report and were investigating. RIM further notified Nth Dimension to confirm that all reported vulnerabilities were handled based on CVSS and that only critical vulnerabilities were deemed candidates for out-of-band patching. Less critical issues would however be addressed in future product updates. Nth Dimension responded on 7th March 2012 to confirm that they agreed with this approach and that in their opinion the issue was not critical and did not warrant an expedited response. Nth Dimension asked to be kept in the loop regarding the release of a patch for this issue in due course. On 19th September 2012, Nth Dimension asked for an update, in particular to establish whether a CVE had been assigned by RIM for this issue. On 1st November 2012, RIM responded to say that the "The changes for the issues are in the latest 2.1 builds for PlayBook. The build is currently available for WiFi only PlayBooks and we’re working with our carrier partners for testing and availability for build for the in-market cellular-enabled PlayBooks". On 6th November 2012, RIM confirm that CVE-2012-5828 has been assigned. They also confirm they believe testing of cellular PlayBooks will be completed by the end of the month. Nth Dimension repond, proposing 1st Deceber 2012 as the embargo date. Current As of 1st Novmeber 2012, the state of the vulnerability is believed to be as follows. RIM have begun shipping a patch which it is believed successfully resolves the reported issue. Thanks Nth Dimension would like to thank all the security folk at RIM, in particular the BlackBerry Incident Response team for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJQuOONAAoJEPJhpTVyySo7wroP/iyrenO98wujw7sQrokND2Km 4CUHHE15NS9vYB9VMTVtPbRYO+t0FkdGqlCT23qUAUg0JICF1UT8hT+zg/09CicP 7V790tiZ0LhMpEBoCZlJeStxGOk6CRJyHFGFJZ1X87Vo2B6wkhqVspG1r6wE+EQg 40nDS6xiA74S1JlfBeFgiAcAvmtvpd8VbsjRAbGO49Aa7sEUt7i9QM41Hut8Uq9A KCdYNTGJNnIQ9fx5hZ+Mtam60zJkDrQIx1yjFZ2Zxdq9SBzzsttq0JG1MckRySFN YR+/lkOKL86O2K9TEi6b+swzdXTKKEzyywihKqJt4nJ757eFIzC7ZItmZ1YXOJTo yGVsVer+Dcny3hlADwTjAu5a2ghBXM+P0DG6zwpJfyoMF/Douz93QlQVtr3cGBSz EOJXRv2504Gr125kfDnE1quVwtZmDFm0hYhGAhXJ1lONoZhk7ER5jf/afnUCiGtu bZZ2lY6JXuxojiuYhg3NL5O7KRyBfUbg1FCyNX9vOS6/9yKxcDPHI/9ufd7do6kZ bbL/yzpwb8fjF2xGKAztjojYubiD4I9NNveEDZUNlVTGV0oqR6rGtU0oDBzawuUs i1f+svO4QH8idfcyRA3UUjsWmU0yTmXcR6uEXkteplS+qpN7VQuRnl5ZYXzQFoXq 6ATeIinA4ZLqVO87aH+S =JYhg -----END PGP SIGNATURE-----