No Apology Required Deconstructing BB10 CanSecWest 2014 - - PowerPoint PPT Presentation

No Apology Required

Deconstructing BB10 CanSecWest 2014

Introduction

• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory
• Research is on-going
• Focused mostly on

methodology, less on findings

• Feel free to chat after

(since we may run out of time)

• Title is because

stereotypical Canadians apologize for everything

Introduction

• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory
• Research is on-going
• Focused mostly on

methodology, less on findings

• Feel free to chat after

(since we may run out of time)

• Title is because

stereotypical Canadians apologize for everything

Introduction

Ben Nell
 bNull


• Sr. Security Consultant


Accuvant Labs Zach Lanier
 quine


• Sr. Security Researcher


Duo Security

Presentation foul:
 <--- mixing memes --->

Why this matters

Why this matters

Why this matters

You’re an appsec consultant and your customer asks you if BlackBerry Balance solves BYOD

Agenda

• Previous Research
• Platform Overview
• Methodology
• Attack Surface
• Future Work

Previous Research

Our PlayBook stuff

• Targeted predecessor of BB10

— TabletOS on BB PlayBook

• Discovered AuthZ token

disclosure for Bridge/Balance (steal all the corporate data)

• RE’d firmware
• Mirrored all of AppWorld (steal

all the premium apps)

• And more...

Our PlayBook stuff (cont’d)

• Discovered that native apps

can exec*() / spawn*() and

• pen AF_INET sockets

unfettered (no perm’s req’d)

• Still true in BB10, but (even

detached) child procs killed when app/parent ends

• “Headless Apps” allow for

background services, but special perms required

• Granting of perms is

contingent upon approval from RIM/BB signing service

Others

• Julio Cesar Fort’s QNX

research

• SEC Consult BB10 paper
• RPW’s BB10 preso (BH

USA ’13)

• Tim Brown’s various

QNX/TabletOS/BB10 works

Platform Overview

Overview

• ARM-based SoCs (Z10, Q10, and Z30

all Snapdragon S4 SoC)

• BB10 (based on QNX Neutrino RTOS

8.0.0)

• Major components (as of 10.2.1.1925):
• WebKit (537.10 / 10.2.1.66)
• Adobe Flash (11.1.121.199)
• Adobe AIR (3.1.0.230)
• BlackBerry Balance (isolated,

corporate PIM)

QNX

• Microkernel, only truly trusted

component

• Userspace kernel and

process manager - procnto

• Separation of network,


I/O, HMI, etc. into separate components

• Messaging layer provides

IPC (QNX message passing + POSIX IPC abstraction)

• Prev. public bugs disclosed

by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others

Security Controls / Mitigations

• OpenBSD NetBSD pf
• POSIX (filesystem) ACLs
• Compiler & linker protections for native

apps

• Usual suspects: XN, ASLR, ProPolice,

PIE + full RELRO

QDE/Momentics default build options

Security Features

• Blackberry Balance
• Encrypted, FACL’d “container”
• a.k.a. “perimeter”
• BES policy enforcements
• DISA STIGs guide these

authman & permissions

• authman service - maps app permissions

to system resources

• Filesystem permissions + POSIX ACLs, PF

rules

• Shell script and Python glue to bind it all

together

authman & permissions

• /dev/authman: resource manager “dispatch”

path (QNX IPC endpoint)

• /etc/authman: configs
• Pair of files (".res" & ".acl"), named for profile type

authman & permissions

• Controls access to

app permissions (allow, prompt, deny)

• Sets FACLs on

filesystem objects based on app permission requested

• Also sets process

capabilities for certain permission types (e.g. “Headless apps”)

authman & pf

• authman handles

setting up (app) GID:rule mapping

• Ex: limiting access

to SapphireProxy (for BB Bridge) on 127.0.0.2

Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control

“Capabilities” based

• n permissions

ACLs based on permissions pf rule(s)

• utput from sloginfo (tool to print system log)

PPS

• “Persistent Publish / Subscribe”
• Implemented by pps manager process
• Simple interface for sharing data,

notifications/eventing via filesystem objects

IPC

• IPC is key in QNX
• “Message passing” & signals implemented

in microkernel

• Other IPC (POSIX-compatible) mechanisms

implemented by manager processes

Message passing

Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory

Signals

Kernel Kernel External process/manager

Application Model

• Native
• WebWorks / Cordova
• Adobe AIR
• Android

C/C++

Flash/AS/ HTML/JS

HTML/JS Java/DEX

20 app perms documented 340 unique app & sys perms observed

Application Model

• App processes run with same UIDs, but separate

GIDs (incl. supplemental GIDs)

• Apps have separate data stores/”sandboxes”
• With Balance/corporate separation, additional data

stores

• Production apps are signed by BB/RIM signing server

Our Approach to the Platform

meth·od·ol·o·gy

/ ˌmeTHəӚˈdäləӚjē/

( )

Testing Limitations

Testing Limitations

• General lack of enthusiasm for BB10 as a

target

• General lack of public information about

the system

• Effective security controls
• We’re left looking at a black box

OSINT

Just ask the internet!

OSINT

Existing previous work

• Our PlayBook work
• SEC Consult paper
• Works by RPW, Tim Brown,

Julio Cesar Fort, etc.

• Not a ton of stuff out there

https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

OSINT

QNX Foundry

• Man pages for QNXisms
• Downloads
• Forums
• Wiki
• Google dorks are

golden…

OSINT

Speaking of Google dorks…

OSINT

Some random RIM employee’s file dump? Upcoming product feature assessment

hardware code names

Upcoming project effort estimations/ release dates

OSINT

• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level Five

Some random RIM employee’s file dump? Internal bug tracker

internal URL

OSINT

Some random RIM employee’s file dump? Pre-release BB10 developer image for Winchester/PlayBook

Dynamic Analysis

Watch it work and try to understand “why”

Dynamic Analysis

RIM wants to get your hacking^Wdevelopment
 projects up and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us:

• libc, libcurl, OpenSSL, V8,

and tons more

• Easy cross-compilation

Dynamic Analysis

Development Tools Sample code

Dynamic Analysis

Momentics target navigator Proc/thread mem info FS nav, etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator

Dynamic Analysis

• Momentics provides QNX-specific versions/

builds of the typical toolchain

• gdb
• also objdump, nm, readelf, gcc, etc.

Dynamic Analysis

Blackberry Simulator QNX Software Dev Platform (SDP)

• Gives us something similar

to the real thing

• We can have root access*
• Access to tools relevant to

the real thing

• MDS Simulator
• It’s like the non-official

“platform” debug tool

• A fully accessible QNX

environment

* - with a bit of work

Dynamic Analysis

Just another box on the network

• Testing harness
• Wireshark
• Proxy (Burp and

friends)

• nmap
• Various fizzers
• Custom stuff

Dynamic Analysis

There are lots of network services Twist:

BB10 network services

Dynamic Analysis

• Unsurprisingly, logs => info
• slogger (app event logger) and slogger2 (system event logger)
• Readable on simulator with sloginfo and slog2info
• slog* devices not readable on device :(

Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4

• Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1

Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts

• Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform

Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0 contacts for number '1212xxxxx40'.

Dynamic Analysis

Debugging is a breeze

Target Host

Fuzzing…

Static Analysis

For the things that can’t be watched

Static Analysis

Installation bundles

• BAR format (hurr durr)
• De-facto standard for any

non-factory packages

• META-INF directory
• Code signatures and app

info

• “assets”

% zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index

Static Analysis

MANIFEST.MF: Package Meta Info

Static Analysis

MANIFEST.MF: Application Meta Info

Static Analysis

MANIFEST.MF: Entry Point Info

Static Analysis

MANIFEST.MF: Entry Point Info

Static Analysis

Getting Firmware

• MITM the CDN downloads
• The “community” has built

some good tools

http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

Static Analysis

Getting Into the Firmware

• “pbtools”
• Mount the firmware in Simulator or SDP
• SCP the files back out

https://github.com/intrepidusgroup/pbtools

Static Analysis

Shell Scripts

• /base/scripts/
• Easy to read
• grep-fu for great

success! from “startup.sh”

Static Analysis

Python: For everything important on BB10 that isn’t written in bash

• Most of it is compiled

Python (bytecode; *.pyc)

• unpyc3.py

https://code.google.com/p/unpyc3/

Static Analysis

ActionScript

• Decompile with Sothink / whatever
• Most ActionScript apps handle front-end stuff

qnx.AIRServices.ota.OtaUpdate

Static Analysis

Compiled binaries

• IDA cleanly disassembles
• ARM / x86
• Without a public root,

disassembly might be your best/only bet for dorking with many network services

Attack Surface

http://www.harkavagrant.com/?id=250

Entry Points

Where the device accepts data

IPC

• Numerous IPC endpoints available
• QNX channels particularly

caught our eye

• Wrote some horrible IPC

scanners / fuzzers

• Problem: not always sure WTF is
• n the other end of a channel

(or able to attach to channel but unable to send)

• Also DoS’d/froze device multiple

times during mass channel scans

$ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted

$ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0 0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00| \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u \x04\x00\x00\x00argsu\x06\x00\x00\x00…

Network Services

• Samba!
• WWW!
• WebDAV!
• Proxies!
• SSH!
• Other stuff!

Network Services

Local-hosted CGI scripts are used for device management “stuff”

• Backup & restore
• Application installation
• Device reset
• Limited logging control
• Limited PIM management
• Enterprise registration
• Etc

WiFi

• Many device management

functions happen over HTTP/ SMB with the option of

• perating over WiFi
• Handset acts as an UPnP

gateway

• There are some real

problematic areas observable

• ver WiFi

USB

• Mass storage? Nay,

Ethernet!

• Similar to WiFi

(WWW/SMB), with additional capabilities

Bluetooth

• Tether your handset to your

tablet

• SapphireProxy (get it?)
• WebDAV
• HTTP proxy
• Protected by pf

BlackBerry “Bridge” / SapphireProxy

This service has had problems in the past… *

* Barely recognizable BattleStar reference

NFC

It works and there are no security problems?

• Haven’t really

explored this

• urselves.
• Biggest concern

likely bad NDEF message parsing by 3rd party native apps

Local Application

• Malware / Client-

side attacks

• Insufficient controls
• n sensitive local

file and network resources

• Privilege

escalations are like gold

Balance

• An attempt at solving BYOD
• “Perimeters” manage the

separation between personal and enterprise applications, data, and network resources

• Enterprise perimeter security is

controlled by BES and enforced locally

Balance

Concerned Consumer: Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.

Balance

RIM: I don’t want to say that it’s all based on file permissions… …but it’s all based on file permissions

Future Work

TODO

• Further (re-)exploration of...
• authman
• system IPC endpoints
• Balance
• Android support
• Radio (NFC, Cell/BB, BT)
• HDMI, USB

Conclusion

Questions / Contact

• https://twitter.com/quine


zach@n0where.org
 zach@duosecurity.com


• https://twitter.com/bnull


[NO_EMAIL_PROVIDED]

<--shameless plug