Bug Disclosure: Remote Code Execution In BlackBerry Workspaces Server
While performing a network penetration test for one of our clients at GDS, I came across a BlackBerry Workspaces (formally WatchDox) Server. These servers can be deployed on customer networks and function as stand-alone appliances. According to BlackBerry:
BlackBerry(R) Workspaces lets you collaborate securely, with all the features you expect from an advanced enterprise file share and mobility solution. Create collaborative workspaces, share files inside and outside your organization, access your files from any device and ensure that the latest version of your file is always synced and available across all your devices.
What makes Workspaces different from competitive solutions is its file-level security. It offers 256-bit file encryption and access controls to ensure that only authorized users can access your files, even after they leave your network. Workspaces also embeds Digital Rights Management (DRM) protection into files, which means that you can control whether users are able to save, edit, copy or print the files.
I found that by issuing an HTTP request for a file inside of a particular directory, I could get a specific component of the product to return its source code.
By analyzing this source code, I was able to find a directory traversal vulnerability in unauthenticated file upload functionality. Exploiting this, I was able to then upload a web shell into another component’s webroot and obtain remote code execution. Because these kinds of servers house highly sensitive data, I’m sure you can imagine the sort of access this granted me within the client’s organization.
For more information about how I was able to exploit these vulnerabilities, check out my blog post on the GDS blog here.