No Apology Required: Deconstructing BB10

Transcript

1. No Apology Required Deconstructing BB10 CanSecWest 2014

2. Introduction • Body Level One • Body Level Two •

   Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

3. Introduction • Body Level One • Body Level Two •

   Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything

4. Introduction Ben Nell
 bNull
 Sr. Security Consultant
 Accuvant Labs Zach

   Lanier
 quine
 Sr. Security Researcher
 Duo Security Presentation foul:
 <--- mixing memes --->

5. Why this matters

6. Why this matters

7. Why this matters You’re an appsec consultant and your customer

   asks you if BlackBerry Balance solves BYOD

8. Agenda • Previous Research • Platform Overview • Methodology •

   Attack Surface • Future Work

9. Previous Research

10. Our PlayBook stuff • Targeted predecessor of BB10 — TabletOS

    on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...

11. Our PlayBook stuff (cont’d) • Discovered that native apps can

    exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service

12. Others • Julio Cesar Fort’s QNX research • SEC Consult

    BB10 paper • RPW’s BB10 preso (BH USA ’13) • Tim Brown’s various QNX/TabletOS/BB10 works

13. Platform Overview

14. Overview • ARM-based SoCs (Z10, Q10, and Z30 all Snapdragon

    S4 SoC) • BB10 (based on QNX Neutrino RTOS 8.0.0) • Major components (as of 10.2.1.1925): • WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated, corporate PIM)

15. QNX • Microkernel, only truly trusted component • Userspace kernel

    and process manager - procnto • Separation of network,
 I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others

16. Security Controls / Mitigations • OpenBSD NetBSD pf • POSIX

    (filesystem) ACLs • Compiler & linker protections for native apps • Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO

17. QDE/Momentics default build options

18. Security Features • Blackberry Balance • Encrypted, FACL’d “container” •

    a.k.a. “perimeter” • BES policy enforcements • DISA STIGs guide these

19. authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together

20. authman & permissions • /dev/authman: resource manager “dispatch” path (QNX

    IPC endpoint) • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type

21. authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)

22. authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2

23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp

    ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control “Capabilities” based on permissions ACLs based on permissions pf rule(s) output from sloginfo (tool to print system log)

24. PPS • “Persistent Publish / Subscribe” • Implemented by pps

    manager process • Simple interface for sharing data, notifications/eventing via filesystem objects

25. IPC • IPC is key in QNX • “Message passing”

    & signals implemented in microkernel • Other IPC (POSIX-compatible) mechanisms implemented by manager processes Message passing Shared memory Pipes FIFOs Message copying Simple messages Channels Events (pulses, signals, unblocks) Typed memory Signals Kernel Kernel External process/manager

26. Application Model • Native • WebWorks / Cordova • Adobe

    AIR • Android C/C++ Flash/AS/ HTML/JS HTML/JS Java/DEX 20 app perms documented 340 unique app & sys perms observed

27. Application Model • App processes run with same UIDs, but

    separate GIDs (incl. supplemental GIDs)
    ! ! • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server

28. Our Approach to the Platform meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/ ( )

29. Testing Limitations

30. Testing Limitations • General lack of enthusiasm for BB10 as

    a target • General lack of public information about the system • Effective security controls • We’re left looking at a black box

31. OSINT Just ask the internet!

32. OSINT Existing previous work • Our PlayBook work • SEC

    Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

33. OSINT QNX Foundry • Man pages for QNXisms • Downloads

    • Forums • Wiki • Google dorks are golden…

34. OSINT Speaking of Google dorks…

35. OSINT Some random RIM employee’s file dump? Upcoming product feature

    assessment hardware code names Upcoming project effort estimations/ release dates

36. OSINT • Body Level One • Body Level Two •

    Body Level Three • Body Level Four • Body Level Five Some random RIM employee’s file dump? Internal bug tracker internal URL

37. OSINT Some random RIM employee’s file dump? Pre-release BB10 developer

    image for Winchester/PlayBook

38. Dynamic Analysis Watch it work and try to understand “why”

39. Dynamic Analysis RIM wants to get your hacking^Wdevelopment
 projects up

    and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation

40. Dynamic Analysis Development Tools Sample code

41. Dynamic Analysis Momentics target navigator Proc/thread mem info FS nav,

    etc. Controller app Controls NFC, Camera, geoloc, etc. for Simulator

42. Dynamic Analysis • Momentics provides QNX-specific versions/ builds of the

    typical toolchain • gdb • also objdump, nm, readelf, gcc, etc.

43. Dynamic Analysis Blackberry Simulator QNX Software Dev Platform (SDP) •

    Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work

44. Dynamic Analysis Just another box on the network • Testing

    harness • Wireshark • Proxy (Burp and friends) • nmap • Various fizzers • Custom stuff

45. Dynamic Analysis There are lots of network services BB10 network

    services
46. None

47. Dynamic Analysis • Unsurprisingly, logs => info • slogger (app

    event logger) and slogger2 (system event logger) • Readable on simulator with sloginfo and slog2info • slog* devices not readable on device :( Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts/4 ! Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/ accounts ! Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http:// 127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0

48. Dynamic Analysis Debugging is a breeze

49. Target Host

50. Fuzzing…

51. Static Analysis For the things that can’t be watched

52. Static Analysis Installation bundles • BAR format (hurr durr) •

    De-facto standard for any non-factory packages • META-INF directory • Code signatures and app info • “assets” % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index

53. Static Analysis MANIFEST.MF: Package Meta Info

54. Static Analysis MANIFEST.MF: Application Meta Info

55. Static Analysis MANIFEST.MF: Entry Point Info

56. Static Analysis MANIFEST.MF: Entry Point Info

57. Static Analysis Getting Firmware • MITM the CDN downloads •

    The “community” has built some good tools http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

58. Static Analysis Getting Into the Firmware • “pbtools” • Mount

    the firmware in Simulator or SDP • SCP the files back out https://github.com/intrepidusgroup/pbtools

59. Static Analysis Shell Scripts • /base/scripts/ • Easy to read

    • grep-fu for great success! from “startup.sh”

60. Static Analysis Python: For everything important on BB10 that isn’t

    written in bash • Most of it is compiled Python (bytecode; *.pyc) • unpyc3.py https://code.google.com/p/unpyc3/

61. Static Analysis ActionScript • Decompile with Sothink / whatever •

    Most ActionScript apps handle front-end stuff qnx.AIRServices.ota.OtaUpdate

62. Static Analysis Compiled binaries • IDA cleanly disassembles • ARM

    / x86 • Without a public root, disassembly might be your best/only bet for dorking with many network services

63. Attack Surface http://www.harkavagrant.com/?id=250

64. Entry Points Where the device accepts data

65. IPC • Numerous IPC endpoints available • QNX channels particularly

    caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0 0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00| \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u \x04\x00\x00\x00argsu\x06\x00\x00\x00…

66. Network Services • Samba! • WWW! • WebDAV! • Proxies!

    • SSH! • Other stuff!

67. Network Services Local-hosted CGI scripts are used for device management

    “stuff” • Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc

68. WiFi • Many device management functions happen over HTTP/ SMB

    with the option of operating over WiFi • Handset acts as an UPnP gateway • There are some real problematic areas observable over WiFi

69. USB • Mass storage? Nay, Ethernet! • Similar to WiFi

    (WWW/SMB), with additional capabilities

70. Bluetooth • Tether your handset to your tablet • SapphireProxy

    (get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference

71. NFC It works and there are no security problems? •

    Haven’t really explored this ourselves. • Biggest concern likely bad NDEF message parsing by 3rd party native apps

72. Local Application • Malware / Client- side attacks • Insufficient

    controls on sensitive local file and network resources • Privilege escalations are like gold

73. Balance • An attempt at solving BYOD • “Perimeters” manage

    the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally

74. Balance Concerned Consumer: Sounds great. How does it work? I

    am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.

75. Balance RIM: I don’t want to say that it’s all

    based on file permissions… …but it’s all based on file permissions

76. Future Work

77. TODO • Further (re-)exploration of... • authman • system IPC

    endpoints • Balance • Android support • Radio (NFC, Cell/BB, BT) • HDMI, USB

78. Conclusion

79. Questions / Contact • https://twitter.com/quine
 [email protected]
 [email protected]
 • https://twitter.com/bnull
 [NO_EMAIL_PROVIDED]

    <--shameless plug