‘RIM BlackBerry DoS (Meeting Location)’

Summary

RIM BlackBerry is a Java-based wireless connectivity solution providing phone, e-mail, and other services on a variety of handheld devices. It is possible to reboot the Blackberry device by sending a specially crafted meeting request.’

Credit:

‘The information has been provided by hexview.
The original article can be found at: http://www.hexview.com/docs/20041012-1.txt and: http://www.hexview.com/docs/20041014-1.txt


Details

Vulnerable Systems:
 * RIM Blackberry 7230 with RIM BlackBerry Operating System software version 3.7.1.41. The Blackberry was synchronized with Microsoft Exchange server using Blackberry Enterprise Server for Microsoft Exchange.

Immune Systems:
 * The issue has been corrected in BlackBerry handheld software version 3.8 and above.

Insufficient data validation for incoming calendar data makes possible to cause buffer overflow condition leading to stack corruption. As a result, it is possible to reboot the device (all stored messages will be lost since RAM storage will be reinitialized).

Example:
The issue can easily be reproduced by sending a standard Microsoft Outlook meeting request message with very long string (over 128K) in the Location: field.
To force immediate user notification, set meeting date/time to the past. The Blackberry reboots when it tries to notify the user. No user action is required. It is possible to render Blackberry device completely useless by queuing a number of such messages into user’s mailbox.

Vendor Status:
The vendor has issued an official advisory which can be found at: Support – RIM analysis of HexView advisory titled BlackBerry buffer overflow, DoS, and data loss

Categories: News