17 Oct 2017

Remote Code Execution In BlackBerry Workspaces Server

While performing a network penetration test for one of our clients at GDS, I came across a BlackBerry Workspaces (formally WatchDox) Server. These servers can be deployed on customer networks and function as stand-alone appliances. According to BlackBerry’s product webpage:

BlackBerry® Workspaces provides secure file storage, synchronization and sharing for every use case and budget.

Whether you need to enable personal productivity, facilitate team collaboration, or mobilize and transform your entire business, BlackBerry Workspaces is the best choice for secure file collaboration.

I found that by issuing an HTTP request for a file inside of a particular directory, I could get a specific component of the product to return its source code.

By analyzing this source code, I was able to find a directory traversal vulnerability in unauthenticated file upload functionality. Exploiting this, I was able to then upload a web shell into another component’s webroot and obtain remote code execution. Because these kinds of servers house highly sensitive data, I’m sure you can imagine the sort of access this granted me within the client’s organization.

For more information about how I was able to exploit these vulnerabilities, check out my blog post on the GDS blog here.