Pierluigi Paganini April 09, 2014

BlackBerry issued an alert on a remote code execution vulnerability in qconnDoor service that affects BlackBerry 10 smartphones.

A recent BlackBerry Security Advisory informed users of the existence of a remote code execution vulnerability (CVE-2014-1468) that affect BlackBerry 10 smartphone running OS versions earlier than version 10.2.0.1055.

As described in the advisory the attackers could exploit the vulnerability sending a specially crafted message over a Wi-Fi network to the qconnDoor service running on the smartphone. The flaw requires that a user enables development mode on a smartphone connected to a Wi-Fi network, that isn’t enabled by default on BlackBerry 10 smartphones, this last requirement need a significant interaction with targeted mobile.

“BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction or having physical access to the smartphone.”

The attack exploits a stack-based buffer overflow vulnerability in the qconnDoor service which is implemented by BlackBerry 10 OS to provide developer access, such as shell and remote debugging capabilities, to the smartphone.

“Successful exploitation of this vulnerability could potentially result in an attacker terminating the qconnDoor service running on a user’s BlackBerry smartphone. In addition, the attacker could potentially execute code on the user’s BlackBerry smartphone with the privileges of the root user (superuser).”

The exploitation of the vulnerability allows an attacker to execute code with the superuser profile .

The above attack scenario is not unique, the attacker could succeed connecting the targeted mobile device to a computer using a USB cable and sending the malicious messages to the qconnDoor service.

The blackberry-connect is a tool available in the BlackBerry Network Development Kit (NDK) and it provides SSH connectivity to the BlackBerry 10 smartphone. As explained in the advisory, if the service is already connected using blackberry-connect, it is impossible for an attacker to compromise the qconnDoor service over Wi-Fi or USB.

The advisory invite users to install last software update to protect affected BlackBerry 10 Smartphones and provides a few suggestions to mitigate the vulnerability: 

• A BlackBerry smartphone user with a vulnerable version of the BlackBerry 10 OS can avoid enabling development mode when Wi-Fi is enabled.
• Customers who use development mode should disable the Wi-Fi network interface.
• Customers who use development mode with the Wi-Fi network interface enabled should connect only to trusted wireless networks.
• Users should connect their BlackBerry 10 smartphone over USB only to trusted computers.

Pierluigi Paganini

(Security Affairs –  BlackBerry 10, mobile)