Vulnerabilities > CVE-2008-3246 - Code Injection vulnerability in multiple products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

blackberry

rim

CWE-94

critical

nessus

NVD

Published: 2008-07-21

Updated: 2017-08-08

Summary

Unspecified vulnerability in the PDF distiller component in the BlackBerry Attachment Service in BlackBerry Unite! 1.0 SP1 (1.0.1) before bundle 36 and BlackBerry Enterprise Server 4.1 SP3 (4.1.3) through 4.1 SP5 (4.1.5) allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file attachment.

Vulnerable Configurations

Part	Description	Count
Application	Blackberry Blackberry Enterprise Server 4.1 Blackberry Enterprise Server 4.1.3 Blackberry Enterprise Server 4.1.4 Blackberry Enterprise Server 4.1.5 Blackberry Unite 1.0 Blackberry Unite 1.0.1	6
Application	Rim RIM Blackberry Enterprise Server 4.1.3 RIM Blackberry Enterprise Server 4.1.4 RIM Blackberry Enterprise Server 4.1.5 RIM Blackberry Enterprise Server FOR Domino * RIM Blackberry Enterprise Server FOR Exchange * RIM Blackberry Enterprise Server FOR Novell Groupwise * RIM Blackberry Unite 1.0 RIM Blackberry Unite 1.0.1	8

Common Weakness Enumeration (CWE)

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL family	Windows
NASL id	BLACKBERRY_ES_PDF_VULN.NASL
description	The version of BlackBerry Enterprise Server / BlackBerry Unite! on the remote host reportedly contains a vulnerability in the PDF distiller component of the BlackBerry Attachment Service. A remote attacker may be able to leverage this issue to execute arbitrary code on the affected host subject to the privileges under which the application runs, generally
last seen	2020-06-01
modified	2020-06-02
plugin id	33550
published	2008-07-21
reporter	This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/33550
title	BlackBerry Multiple Products PDF Distiller Component PDF Processing Arbitrary Code Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33550); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2008-3246"); script_bugtraq_id(30188); script_xref(name:"Secunia", value:"31092"); script_xref(name:"Secunia", value:"31141"); script_name(english:"BlackBerry Multiple Products PDF Distiller Component PDF Processing Arbitrary Code Execution"); script_summary(english:"Checks version and looks for workaround"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an application that is affected by a code execution vulnerability"); script_set_attribute(attribute:"description", value: "The version of BlackBerry Enterprise Server / BlackBerry Unite! on the remote host reportedly contains a vulnerability in the PDF distiller component of the BlackBerry Attachment Service. A remote attacker may be able to leverage this issue to execute arbitrary code on the affected host subject to the privileges under which the application runs, generally 'Administrator', by sending an email message with a specially crafted PDF file and having that opened for viewing on a BlackBerry smartphone."); script_set_attribute(attribute:"see_also", value:"https://salesforce.services.blackberry.com/kbredirect/viewContent.do?externalId=KB15766"); script_set_attribute(attribute:"see_also", value:"https://salesforce.services.blackberry.com/kbredirect/viewContent.do?externalId=KB15770" ); script_set_attribute(attribute:"solution", value: "If using BlackBerry Enterprise Server, either upgrade to version 4.1 Service Pack 6 (4.1.6), apply an appropriate interim security software update, or prevent the Attachment Service from processing PDF files. If using BlackBerry Unite!, either upgrade to 1.0 Service Pack 1 (1.0.1) bundle 36 or later or prevent the Attachment Service from processing PDF files."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"plugin_publication_date", value:"2008/07/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:rim:blackberry_enterprise_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("blackberry_es_installed.nasl", "smb_hotfixes.nasl"); script_require_keys("BlackBerry_ES/Product", "BlackBerry_ES/Version", "BlackBerry_ES/AttachmentServer", "SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("misc_func.inc"); include("audit.inc"); prod = get_kb_item_or_exit("BlackBerry_ES/Product"); version = get_kb_item_or_exit("BlackBerry_ES/Version"); path = get_kb_item_or_exit("BlackBerry_ES/Path"); get_kb_item_or_exit("SMB/Registry/Enumerated"); if (isnull("BlackBerry_ES/AttachmentServer")) exit(0, "The host is not affected because BlackBerry Attachment Server isn't installed."); if ( ("Enterprise Server" >< prod && version !~ "4\.1\.[3-5] ") \|\| ( "Unite!" >< prod && version !~ "^(0\.\|1\.0 \|1\.0\.0 \|1\.0\.1 $Bundle ([0-9]\|[[0-2][0-9]\|3[0-5])$)" ) ) exit(0); # Connect to the appropriate share. port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Determine whether the workaround has been implemented. info = ""; if (report_paranoia > 1) { info = string( "Note, though, that Nessus did not check whether the\n", "workaround has been implemented because of the Report\n", "Paranoia setting in effect in effect when this scan was run.\n" ); } else { if ("Unite!" >!< prod) { key = "SOFTWARE\Research In Motion\BBAttachServer\BBAttachBESExtension"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"BBAttachFormatList"); if (!isnull(item)) { formats = item[1]; if ("\|pdf\|" >< formats) info += " - The format extensions field includes 'pdf'." + '\n'; } RegCloseKey (handle:key_h); } } key = "SOFTWARE\Research In Motion\BBAttachEngine\Distillers\LoadPDFDistiller"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); if (!isnull(key_h)) { item = RegQueryValue(handle:key_h, item:"Enabled"); if (!isnull(item)) { enabled = item[1]; if (enabled) info += ' - The PDF distiller is enabled.\n'; } RegCloseKey (handle:key_h); } if (vuln) { if ("Unite!" >< prod \|\| max_index(split(vuln)) > 1) { info = string( "Nessus has determined that the workaround described in the\n", "vendor's advisory has not been implemented because :\n", "\n", info ); } else { info = string( "Nessus has determined that the workaround described in the\n", "vendor's advisory has only be partially implemented\n", "because :\n", "\n", info ); } } } RegCloseKey(handle:hklm); if (!info) { NetUseDel(); exit(0); } # Check if the patch for BlackBerry ES was applied. vuln = FALSE; if ("Unite!" >!< prod && !isnull(path)) { share = ereg_replace(pattern:"^([A-Za-z]):.", replace:"\1$", string:path); path2 = ereg_replace(pattern:"^[A-Za-z]:(.)", replace:"\1\", string:path); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc == 1) { dlls = make_list( "AttachServer\BBDecorator\BBRenderingDecorator.dll", "AttachServer\BBDecorator\BBXRenderingDecorator.dll", "AttachServer\BBDistiller\BBDM_PDF.dll" ); dll_probs = ""; foreach dll (dlls) { fh = CreateFile( file:path2+dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { ver = GetFileVersion(handle:fh); if (ver) { if ( ver[0] < 4 \|\| ( ver[0] == 4 && ( ver[1] < 1 \|\| ( ver[1] == 1 && ( ver[2] < 6 \|\| (ver[2] == 6 && ver[3] < 6) ) ) ) ) ) { file_version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]); dll_probs += ' - ' + dll + ' (version ' + file_version + ')\n'; vuln = TRUE; } } else dll_probs += ' - ' + dll + ' (unknown version)\n'; CloseFile(handle:fh); } else dll_probs += ' - ' + dll + ' (unable to open file)\n'; } # There's no vulnerability if we could determine the DLLs have been patched. if (!dll_probs) info = ""; # Otherwise if there's at least one patched file... else if (max_index(split(dll_probs)) < max_index(keys(dlls))) { if (max_index(split(dll_probs)) > 1) s = "s are"; else s = " is"; if (vuln) { info = string( info, "\n", "In addition, it appears that the patch has not been\n", "installed completely as the following file", s, " still\n", "vulnerable :\n", "\n", dll_probs ); } else exit(0, "There was an issue accessing at least one of the affected DLLs."); } } } NetUseDel(); # Report if an issue was found. if (info) { if (report_verbosity) { report = string( "\n", " Product : ", prod, "\n", " Version : ", version, "\n", " Comments : ", str_replace(find:'\n', replace:'\n ', string:info), "\n" ); security_hole(port:port, extra:report); } else security_hole(port); }

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References