Summary This advisory concerns the forced disclosure of 2 vulnerabilities that were previously disclosed to BlackBerry. Disclosure has been forced since these vulnerabilities have been publicly disclosed (with PoC) on the exploit-db web site. Two local privilege escalation vulnerabilities have been identified that would ultimately result in malicious code being executed in a trusted context. The first allows direct code execution (http://www.exploit-db.com/exploits/32153/) whilst the second allows for the root password to be disclosed (http://www.exploit-db.com/exploits/32156/). It should be noted that Nth Dimension do not believe that the bug collision are due to a leak within BlackBerry but rather that these are the simply instances of multiple researchers identifying the same vulnerable code paths. Current As of the 11th March 2014, both the privilege escalation attacks have been disclosed by a 3rd party. In light of this and in the absence of any timely response from BlackBerry, Nth Dimension have opted to make full details public. -- Tim Brown <mailto:timb@xxxxxxxxxxxxxxxxxxxx> <http://www.nth-dimension.org.uk/>
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/