qconndoor is a network service, running on the Blackberry Z10 to allow developers to access the device using BlackBerry's SDK tool-chain. The qconndoor process is used to e. g. enable SSH access to the device; More functionality is not documented yet and may remain proprietary. Even though the service is intended for being used by software developers in the Blackberry developer-mode only, the service is still running, even if the developer-mode is not enabled. The qconndoor process is executed under super-user UID 0 (root) privileges.
modzero identified a stack-based buffer overflow in the qconnDoor service that can be triggered by an unauthenticated attacker. The buffer overflow issue can only be triggered, if the developer-mode has been activated once during runtime and can still be triggered when the developer-mode has been turned off. Since the developer service is exposed to the (wireless) network and the service is running with administrative privileges, the risk of a successful exploitation is considered high after the developer-mode has been turned on and off during runtime once.
Even if exploit mitigations at first prevent a code execution, it is still possible to modify data variables in the affected services, which is a high risk, too.
All technical details and backgrounds about this issue and its
analysis can be found in our security advisory
http://www.modzero.ch/advisories/MZ-13-05-Blackberry_Z10-qconnDoor.txt.
Credits:
References: