[JuiciPatties]

Didn't see this posted here, so wondering if this is legit or not. This was posted on Threatpost.com. Here is the link for your reference, but I will include the entire article in case there are those that are going to claim that I'm trying to get hits for them.

LINK:
https://threatpost.com/blackberry-10...llation/108830

ARTICLE:

BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device.

The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware. BlackBerry officials say that the vulnerability only affects the devices running BlackBerry 10, and recommend that install the new version of the World app as soon as possible.

“A vulnerability exists in the BlackBerry World service’s download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed,” the BlackBerry advisory says. “

In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a user’s BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app.”

The vulnerability affects versions 10.2, 10.2.1 and 10.3 of the BlackBerry World app. The company said that user communications with
BlackBerry World now are done over SSL, which can help protect against MITM attacks.

Anyone in the know if this is true? I haven't seen an update to Blackberry World in a while (I don't have a good memory though). Good news is that they have patched it, but a bit shocked if this existed in the first place.

[art ur]

Maybe Xsacha can say more about that?

Posted via CB10

[diegonei]

If it is true, it most likely refers to a patch that has already been applied. They do this all the time, you know. We just don't hear from it often.

Unlike iOS and Android, where the patch is usually issues after some measure of disaster happens.

[BCITMike]

I can see how they replace the bar file over the air, not sure how you can install it without noticing or being in development mode.

Posted via CB10

[diegonei]

I can see how they replace the bar file over the air, not sure how you can install it without noticing or being in development mode.

Posted via CB10

Have you ever heard of OS updates? One day there is an issue, the next it's patched.

Some issues are server-sided only and patches don't even need to be issued on the user end.

[Richard Buckley]

You could always go to the official source :
BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10 smartphones


EDIT:

According to BlackBerry SRT I'm already running the fixed version of BlackBerry World. You probably are too.

Edit 2:

Got to my desktop and fixed up presentation.

Resolution:
BlackBerry 10 OS version Resolution BlackBerry World versions:
10.3.0 Versions 5.1.0.53 and later
10.2.1 Versions 5.0.0.263 and later
10.2.0 Versions 5.0.0.262 and later

Interesting quote from Mitigations:

This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to download the malicious application and accept the permissions.

In order to exploit this vulnerability, an attacker must gain control of the network that the customer is using to make the download/update request.

CVE identifier and score: CVE-2014-6611 — 4.3 This CVE was created September 18, 2014 which explains the BB World update.
Posted via CB10

[AnimalPak200]

Is this how Sacha's Sachesi app (from BB WORLD) works? Lol

Posted via CB10

[BCITMike]

Have you ever heard of OS updates? One day there is an issue, the next it's patched.

Some issues are server-sided only and patches don't even need to be issued on the user end.

Did you reply to the right post? Your reply doesn't make sense to reply to my post. I am talking about the man in the middle exploit (the vulnerability in question). Clarify where OS updates comes into discussion about apps and BBW vulnerability.

Edit: You thought I was asking how BlackBerry fixed it without users noticing, not how the hackers are installing the malware.

If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware

User goes to BBW. Selects a file to download/install. File is first downloaded, and then installed (just checked, and it was downloaded and installed in 1 step). The malicious behaviour is that user wants file "X", and instead downloads file "Y", unbeknownst to them.

The fix could simply be "check MD5 of bar on server. check MD5 of bar that was downloaded".

But to repeat my point, it is my understanding that .bar files can only be installed if signed by BlackBerry or a developer with keys issued by BlackBerry. To install unsigned .bar files, you would need to be in development mode.

So the topic of my post, is really how is the malware packaged in .bar format that is successfully installed without being in developer mode? Is it from improper use of actual developer keys, or is it some spoofing/hacking/validation check bypass? Ever since we got the unlocked Android runtime, we haven't had to keep installing .bar's from self-signed developer keys like standard operating procedure in 2013. So I'm forgetting/unaware of the build process that makes the .bar file legit enough for BB10 to install it.

[Richard Buckley]

Did you reply to the right post? Your reply doesn't make sense to reply to my post. I am talking about the man in the middle exploit (the vulnerability in question). Clarify where OS updates comes into discussion about apps and BBW vulnerability.

Edit: You thought I was asking how BlackBerry fixed it without users noticing, not how the hackers are installing the malware.




User goes to BBW. Selects a file to download/install. File is first downloaded, and then installed (just checked, and it was downloaded and installed in 1 step). The malicious behaviour is that user wants file "X", and instead downloads file "Y", unbeknownst to them.

The fix could simply be "check MD5 of bar on server. check MD5 of bar that was downloaded".

But to repeat my point, it is my understanding that .bar files can only be installed if signed by BlackBerry or a developer with keys issued by BlackBerry. To install unsigned .bar files, you would need to be in development mode.

So the topic of my post, is really how is the malware packaged in .bar format that is successfully installed without being in developer mode? Is it from improper use of actual developer keys, or is it some spoofing/hacking/validation check bypass? Ever since we got the unlocked Android runtime, we haven't had to keep installing .bar's from self-signed developer keys like standard operating procedure in 2013. So I'm forgetting/unaware of the build process that makes the .bar file legit enough for BB10 to install it.

Developers are able to fully sign their applications to run on a device not in development mode. Running an application with the device in development mode requires that a developer token be installed on the device. Developer signing allows developers to provide unique applications to customers. If I'm paid to develop an application for company X specific to their business, they wouldn't want it in BlackBerry World for everyone to download. So this is not a miss use of signing.

Essentially, if you connect to BlackBerry World over a compromised network, such a a maliciously run Wi-Fi hotspot, the operator of the network could exploit a weakness in the protocol to substitute a different BAR file for the one requested.

Posted via CB10

[BCITMike]

Developers are able to fully sign their applications to run on a device not in development mode. Running an application with the device in development mode requires that a developer token be installed on the device. Developer signing allows developers to provide unique applications to customers. If I'm paid to develop an application for company X specific to their business, they wouldn't want it in BlackBerry World for everyone to download. So this is not a miss use of signing.

Essentially, if you connect to BlackBerry World over a compromised network, such a a maliciously run Wi-Fi hotspot, the operator of the network could exploit a weakness in the protocol to substitute a different BAR file for the one requested.

Posted via CB10

Ah, yes. Developer mode provided the way for getting more Android runtime stuff unlocked. And then the Android runtime caught up and/or native apk install was not necessary to keep doing developer mode. Thanks for the info.

Developer keys are issued by BlackBerry, IIRC, so if malware was ever found and analyzed, they would be able to trace back the IP that it was issued for? Though I imagine they're smart enough to use a VPN or something when connecting to BlackBerry servers.

This seems realistically exploitable so long as the replacement app has same/similar name as the intended app or a generic name enough not to draw attention when prompting for permissions. If it wasn't protected by an SSL connection before the BBW update, given how NSA has wire taps on major internet feeds, what would stop them from man in the middling this exploit? I think this is within the realm of people actually putting forth the effort to reproduce this attack (though not me).

[Richard Buckley]

Ah, yes. Developer mode provided the way for getting more Android runtime stuff unlocked. And then the Android runtime caught up and/or native apk install was not necessary to keep doing developer mode. Thanks for the info.

I think you misunderstand the purpose of developer mode. It is intended to allow code to be run on a small subset of hardware without obtaining a signature from BlackBerry each time the application is built. This allows development to take place on isolated networks for security or convenience reasons.

Edit:

What you may be referring to here was the practice of some people pirating Android applications and making them available by using the developer token facility. The only reason they would have to do this is that their agreement with BlackBerry to get developer keys precluded using IP without permission. They probably felt that they couldn't get a proper signature, or if they did BlackBerry might cancel their keys. They were, however, at just as much risk using tokens because the BAR file is still signed by the developer keys and can be tracked back to the developer.

Developer keys are issued by BlackBerry, IIRC, so if malware was ever found and analyzed, they would be able to trace back the IP that it was issued for? Though I imagine they're smart enough to use a VPN or something when connecting to BlackBerry servers.

They could blacklist the keys.

This seems realistically exploitable so long as the replacement app has same/similar name as the intended app or a generic name enough not to draw attention when prompting for permissions. If it wasn't protected by an SSL connection before the BBW update, given how NSA has wire taps on major internet feeds, what would stop them from man in the middling this exploit? I think this is within the realm of people actually putting forth the effort to reproduce this attack (though not me).

The BSRT credits the researcher and organization that assisted with this vulnerability. Now that it is fixed they will likely publish a paper. If you want to know how far they got in producing demonstration code, and under what conditions you should look for and read that publication.

[xsacha]

Is this how Sacha's Sachesi app (from BB WORLD) works? Lol

No, my app does not use this exploit. My app is known to work on the latest firmwares and the very latest Blackberry World.

Using this exploit did allow sideloading on-device (without contacting a third-party to first upload and then download the app such as an appInstaller proxy).
It's a fairly obvious exploit that I have never seen any point with. You need a local proxy or similar for this to work. Basically, someone has to be controlling your internet flow. I know it doesn't require the use of a password (which is needed for the traditional method that appInstaller proxies use) but for my purposes it did not provide any benefit.
Basically, there is no risk to normal users here. Especially since the switch to using SSL ages ago.

It must have been reported a long time ago. Possibly at the start of the year since it is #8. We're up to exploit #290 this year.

[Bluenoser63]

Didn't see this posted here, so wondering if this is legit or not. This was posted on Threatpost.com. Here is the link for your reference, but I will include the entire article in case there are those that are going to claim that I'm trying to get hits for them.

LINK:
https://threatpost.com/blackberry-10...llation/108830

ARTICLE:


Anyone in the know if this is true? I haven't seen an update to Blackberry World in a while (I don't have a good memory though). Good news is that they have patched it, but a bit shocked if this existed in the first place.

There was a notification on August 1st of a new version of Blackberry World. This was a fixed version 5.0.0.263. This has been patched over two months ago.

[BCITMike]

Edit:

What you may be referring to here was the practice of some people pirating Android applications and making them available by using the developer token facility. The only reason they would have to do this is that their agreement with BlackBerry to get developer keys precluded using IP without permission. They probably felt that they couldn't get a proper signature, or if they did BlackBerry might cancel their keys. They were, however, at just as much risk using tokens because the BAR file is still signed by the developer keys and can be tracked back to the developer.

No, not piracy per se. On crackberry last year, the reason for debug tokens taking off was that BlackBerry had blacklisted some API's that only worked in development mode. Or at least for me and the majority of people. The Android runtime was not complete and so the released android runtime did not expose everything that was accessible when debug token was used. So it was for app compatibility more so than piracy. By November 2013, the unlocked Android runtime was in BBW, and that stopped the need for using developer tokens to get 'unlocked' android runtime. That's just to clarify why/how I used it, not arguing. We are on the same page and I understand what you said.

[Richard Buckley]

No, not piracy per se. On crackberry last year, the reason for debug tokens taking off was that BlackBerry had blacklisted some API's that only worked in development mode. Or at least for me and the majority of people. The Android runtime was not complete and so the released android runtime did not expose everything that was accessible when debug token was used. So it was for app compatibility more so than piracy. By November 2013, the unlocked Android runtime was in BBW, and that stopped the need for using developer tokens to get 'unlocked' android runtime. That's just to clarify why/how I used it, not arguing. We are on the same page and I understand what you said.

Fair enough. I'm not familiar with that use, but did see a lot of the other kind.

Posted via CB10