mod%log

Summary

qconndoor is a network service, running on the Blackberry Z10 to allow developers to access the device using BlackBerry's SDK tool-chain. The qconndoor process is used to e. g. enable SSH access to the device; More functionality is not documented yet and may remain proprietary. Even though the service is intended for being used by software developers in the Blackberry developer-mode only, the service is still running, even if the developer-mode is not enabled. The qconndoor process is executed under super-user UID 0 (root) privileges.

modzero identified a stack-based buffer overflow in the qconnDoor service that can be triggered by an unauthenticated attacker. The buffer overflow issue can only be triggered, if the developer-mode has been activated once during runtime and can still be triggered when the developer-mode has been turned off. Since the developer service is exposed to the (wireless) network and the service is running with administrative privileges, the risk of a successful exploitation is considered high after the developer-mode has been turned on and off during runtime once.

Even if exploit mitigations at first prevent a code execution, it is still possible to modify data variables in the affected services, which is a high risk, too.

All technical details and backgrounds about this issue and its analysis can be found in our security advisory
http://www.modzero.ch/advisories/MZ-13-05-Blackberry_Z10-qconnDoor.txt.

Credits:

• David Gullasch
• Max Moser
• Martin Schobert

References:

• http://www.modzero.ch/advisories/MZ-13-05-Blackberry_Z10-qconnDoor.txt
• http://www.blackberry.com