There’s a remotely exploitable authentication bypass vulnerability in the BlackBerry Z10 phone that affects the service that lets users share files with machines on a wireless network. The bug could allow an attacker to steal users’ personal data or hit them with targeted malware.
The Z10 is one of BlackBerry’s top tier devices and includes a feature that separates personal and corporate data and also supports encryption. The device also includes a service that enables users to do ad-hoc file sharing with devices on nearby wireless networks. Researchers at Modzero in Switzerland discovered a vulnerability that allows an attacker to bypass the authentication mechanism that protects that service.
“The mobile phone offers a network service (‘Storage and Access’) for adhoc file-exchange between the phone and a network client. To achieve these goals, the mobile device deploys a Samba fileserver, which can be used to upload or download files to or from the Blackberry phone. To enable fileserver access from wireless networks, the user has to explicitly enable ‘Access using Wi-Fi’ on the phone. Afterwards, the Z10 asks the user to enter a password that is required to get access to the fileserver,” the Modzero advisory says.
“The fileserver implementation or the password handling that is used on the Z10 is affected by an authentication by-pass vulnerability: The fileserver fails to ask for a password and allows unauthenticated users to obtain read and write access to the offered shares. The severity is considered medium to high, as an attacker may be able to distribute targeted malware or access confidential data.”
The researchers discovered two methods for exploiting the vulnerability, but they said that the condition is not always reproducible and may take several attempts to show up.
“The problem occurs, when “Sharing via Wi-Fi” has been enabled on the Z10. The “Storage and Access” dialog of the Z10 asks the user for a password that shall be used to access data on the fileserver. Under certain circumstances, the fileserver fails to ask for a password and allows access even without specifying credentials. This behaviour does not always occur but is reproducible within at most one of ten different tries via Wi-Fi,” the advisory says.
“The first approach let users access the fileserver via the wireless LAN interface without using the developer mode, which is the most common scenario. The second approach gives access via USB cable. In this second approach, the developer mode is activated to enable TCP/IP communication via USB. The second method is more reliable for reproducing the effect and for tracking down the root cause.”
BlackBerry has produced a patch for the vulnerability and pushed it to carriers.