advertisement

No Apology Required: Deconstructing BB10

67 %
33 %
advertisement
Information about No Apology Required: Deconstructing BB10
Technology

Published on March 14, 2014

Author: duosecurity

Source: slideshare.net

advertisement

No Apology Required Deconstructing BB10 CanSecWest 2014

Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

Introduction • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->

Why this matters

Why this matters

Why this matters You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD

Agenda • Previous Research • Platform Overview • Methodology • Attack Surface • Future Work

Previous Research

Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...

Our PlayBook stuff (cont’d) • Discovered that native apps can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service

Others • Julio Cesar Fort’s QNX research • SEC Consult BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works

Platform Overview

Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)

QNX • Microkernel, only truly trusted component • Userspace kernel and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others

Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO

QDE/Momentics default build options

Security Features • Blackberry Balance • Encrypted, FACL’d “container” • a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these

authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together

authman & permissions • /dev/authman: resource manager “dispatch” path (QNX IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type

authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)

authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2

Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)

PPS • “Persistent Publish / Subscribe” • Implemented by pps manager process • Simple interface for sharing data, notifications/eventing via filesystem objects

IPC • IPC is key in QNX • “Message passing” & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager

Application Model • Native • WebWorks / Cordova • Adobe AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed

Application Model • App processes run with same UIDs, but separate GIDs (incl. supplemental GIDs) ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server

Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )

Testing Limitations

Testing Limitations • General lack of enthusiasm for BB10 as a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box

OSINT Just ask the internet!

OSINT Existing previous work • Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

OSINT QNX Foundry • Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are golden…

OSINT Speaking of Google dorks…

OSINT Some random RIM employee’s file dump? Upcoming product feature assessment hardware code names Upcoming project effort estimations/ release dates

OSINT • Body Level One • Body Level Two • Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL

OSINT Some random RIM employee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook

Dynamic Analysis Watch it work and try to understand “why”

Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation

Dynamic Analysis Development Tools Sample code

Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator

Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.

Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) • Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work

Dynamic Analysis Just another box on the network • Testing harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff

Dynamic Analysis There are lots of network services BB10 network services

Dynamic Analysis • Unsurprisingly, logs => info • slogger (app event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0

Dynamic Analysis Debugging is a breeze

Target Host

Fuzzing…

Static Analysis For the things that can’t be watched

Static Analysis Installation bundles • BAR format (hurr durr) • De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index

Static Analysis MANIFEST.MF: Package Meta Info

Static Analysis MANIFEST.MF: Application Meta Info

Static Analysis MANIFEST.MF: Entry Point Info

Static Analysis MANIFEST.MF: Entry Point Info

Static Analysis Getting Firmware • MITM the CDN downloads • The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

Static Analysis Getting Into the Firmware • “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools

Static Analysis Shell Scripts • /base/scripts/ • Easy to read • grep-fu for great success! from “startup.sh”

Static Analysis Python: For everything important on BB10 that isn’t written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/

Static Analysis ActionScript • Decompile with Sothink / whatever • Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate

Static Analysis Compiled binaries • IDA cleanly disassembles • ARM / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services

Attack Surface http://www.harkavagrant.com/?id=250

Entry Points Where the device accepts data

IPC • Numerous IPC endpoints available • QNX channels particularly caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c x01x00x00x00x00x00x00x00x03x00x00x00x02x0 0x00x00Ox00x00x00sx16x00x00x00|x01x00| x00x00_x00x00|x02x00|x00x00_x01x00d x00x00S(x01x00x00x00N(x02x00x00x00u x04x00x00x00argsux06x00x00x00…

Network Services • Samba! • WWW! • WebDAV! • Proxies! • SSH! • Other stuff!

Network Services Local-hosted CGI scripts are used for device management “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc

WiFi • Many device management functions happen over HTTP/ SMB with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi

USB • Mass storage? Nay, Ethernet! • Similar to WiFi (WWW/SMB), with additional capabilities

Bluetooth • Tether your handset to your tablet • SapphireProxy (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference

NFC It works and there are no security problems? • Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps

Local Application • Malware / Client- side attacks • Insufficient controls on sensitive local file and network resources • Privilege escalations are like gold

Balance • An attempt at solving BYOD • “Perimeters” manage the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally

Balance Concerned Consumer: Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.

Balance RIM: I don’t want to say that it’s all based on file permissions… …but it’s all based on file permissions

Future Work

TODO • Further (re-)exploration of... • authman • system IPC endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB

Conclusion

Questions / Contact • https://twitter.com/quine
 zach@n0where.org
 zach@duosecurity.com
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED] <--shameless plug

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

No Apology Required - CanSecWest

No Apology Required Deconstructing BB10 ... unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ...
Read more

No Apology Required: Deconstructing BB10 // Speaker Deck

No Apology Required: Deconstructing BB10 by Duo Security. Published March 14, 2014 in Technology. Duo Security. 29 Presentations. Star this Talk 0 Stars;
Read more

Presentations by Duo Security // Speaker Deck

No Apology Required: Deconstructing BB10. Mar 14, 2014 by Duo Security. Eyes on IZON: Surveilling IP Camera Security. Feb 28, 2014 by Duo Security. The ...
Read more

Bb10 | LinkedIn

View 2281 Bb10 posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Read more

CanSecWest: Latest BlackBerry 10 Security Research ...

Our presentation, No Apology Re ... CanSecWest: Latest BlackBerry 10 Security Research. by vendorpageid_399 on Mar 20, 2014 at 12:00 EDT | Duo Security. 0. ...
Read more

n0where.org - Talks/Presentations

No Apology Required: Deconstructing BB10 (presented with Ben Nell) CanSecWest 2014 HushCon 2013 BayThreat 2013 [Presentation (Speaker Deck)] TEAM JOCH ...
Read more

NoApologyRequired-BB10-CanSecWest2014_文档下载_IT168文库

Intel书房:一站式检索企业应用文档 华为三大系列服务器技术文档库 浪擎产品与解决方案技术资料专区
Read more

The (TV) Show Must Go On...: BB10: POV Update and My Apologies

I'm Jackie and I watch TV. I'm not proud. Reviews, some recaps, TV news, reality television, primetime and even a weekly off television topic ...
Read more