Voight-Kampff'ing The BlackBerry PlayBook (v2)

Slide 1

Slide 1 text

Voight-Kampff'ing The BlackBerry PlayBook Zach Lanier and Ben Nell 1

Slide 2

Slide 2 text

Introduction Zach Lanier Security Researcher Ben Nell Consultant 2

Slide 3

Slide 3 text

Why this matters • New, different platform • PlayBook targets enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data

Slide 4

Slide 4 text

Agenda • Platform Overview • Application Overview • Methodology • Research Findings • Additional Considerations 4

Slide 5

Slide 5 text

“He say you Blade Runner...” • Deckard hunts Replicants (he’s an *android killer*) • PlayBook codename = “Deckard” • Voight-Kampff machine for interrogation • Hence the theme 5

Slide 6

Slide 6 text

Platform Overview 6

Slide 7

Slide 7 text

Platform Overview • TI OMAP4430 (dual-core ARM Cortex A9) • TabletOS (based on QNX Neutrino RTOS v6.6) • Major components: • WebKit (534.11 / Safari 7.1.0.7) • Adobe Flash (11.1) • Adobe AIR (3.1) • BlackBerry Bridge (connects to BB handheld for sync’ing email, contacts, calendar, etc.) • Use case: corporate user with existing BB handset 7

Slide 8

Slide 8 text

QNX • Microkernel, only truly trusted component • Separation of network, I/O, HMI, etc. into separate components • Trusted boot process • ASLR 8

Slide 9

Slide 9 text

Dingleberry • PlayBook jailbreak / root privesc released in Dec. 2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root • Now irrelevant 9

Slide 10

Slide 10 text

Security Controls • OpenBSD pf • POSIX (ﬁlesystem) ACLs • Compiler & linker protections for native apps • ProPolice, PIE, full RELRO • ASLR 10

Slide 11

Slide 11 text

PPS • “Persistent Publish / Subscribe” • Simple interface for sharing data, notiﬁcations via ﬁlesystem objects • Example: monitoring network interface state 11

Slide 12

Slide 12 text

authman & permissions • authman service - maps app permissions to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12

Slide 13

Slide 13 text

authman & permissions • /etc/authman: configs • Pair of files (".res" & ".acl"), named for profile type • carrier.acl? • /dev/authman: resource manager “dispatch” path 13

Slide 14

Slide 14 text

authman & permissions • Controls access to app permissions (allow, prompt, deny) • Sets FACLs on ﬁlesystem objects based on app permission requested 14

Slide 15

Slide 15 text

authman & pf • authman handles setting up (app) GID:rule mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2 15

Slide 16

Slide 16 text

Application Overview 16

Slide 17

Slide 17 text

PlayBook applications • BlackBerry + JAR = ??? • Normal JAR structures • Entry point • AIR and ELF / Dalvik and Python 17

Slide 18

Slide 18 text

PlayBook applications • Native applications • Entry points interpreted as shell commands • ENV variables, shell scripts, etc • AIR applications • Interface compiled libraries (i.e. UI stuff) • Can be packaged with ELF libraries 18

Slide 19

Slide 19 text

App Permissions Documented (8) Observed (48) 19

Slide 20

Slide 20 text

Side Note: Adobe Reader • perimeter_corp? • run_air_native? 20

Slide 21

Slide 21 text

Methodology 21

Slide 22

Slide 22 text

Development mode • SDK tools / side-load applications • Unprivileged shell access • Automatic session expiration 22

Slide 23

Slide 23 text

Development mode • “appInstaller.cgi” • Install / launch apps • Enumerate apps • Terminate apps 23

Slide 24

Slide 24 text

Development mode • “qconnDoor” • Limited SSH access • Private key authentication 24

Slide 25

Slide 25 text

Exploring TabletOS • QNX Software Dev Platform (SDP) • PlayBook Simulator • Wealth of QNX documentation • Firmware images • SDK / NDK • Source code? 25

Slide 26

Slide 26 text

Research Findings 26

Slide 27

Slide 27 text

System updates • Signed packages (SHA1, SHA256, SHA512) • Three stage process: • Poll available update bundles (HTTPS) • Request download info for a speciﬁc bundle (HTTPS) • Download and install individual packages (HTTP) 27

Slide 28

Slide 28 text

Poll available bundles Bundle request 28

Slide 29

Slide 29 text

System updates: So what? • Control the version of software running on a device • Extract TabletOS ﬁle system • Reverse engineer system stuff • Diff changes between versions 29

Slide 30

Slide 30 text

System updates: MITM • x.509 checks were not originally enforced • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be ﬁxed in a software update 30

Slide 31

Slide 31 text

System updates: MITM 31 (obviously)

Slide 32

Slide 32 text

System updates: OOB bundle download • Available bundle versions • “X-Encryption-Id” • package_get.py • Brute-forcing unreleased versions? 32

Slide 33

Slide 33 text

Firmware reversing • BAR package qcfm-os-factory-.bwrap.signed • Interesting-looking binary glob • Raw partitions? • File carving? • MFCQ/QCFP headers? 33

Slide 34

Slide 34 text

QNX SDP • QNX SDP • Examining known-good QNX6 partitions • Magic bytes • “chkqnx6fs” 34

Slide 35

Slide 35 text

Firmware reversing • Ok, valid partition headers. Carve them? • Geometry? • Block size / count? • Examining QNX6 partitions more closely... 35

Slide 36

Slide 36 text

QNX6 partition superblock “chkqnx6fs” output 36

Slide 37

Slide 37 text

Simulator Tools • D’oh! Not enough bytes... • Simulator provides: • “qcfm” • “qcfp” “qcfp” looks a bit more promising... 37

Slide 38

Slide 38 text

Ah! “pb179.img-ctrl.q6fs” 38 Our ﬁrmware block layout Representation of the original layout

Slide 39

Slide 39 text

Ok, ﬁve partitions Meanwhile, back in our ﬁrmware header... ... we’ve got this. 39

Slide 40

Slide 40 text

TL;DR • QCFM “envelope” • Header represents several QCFP “partitions” • Block positions and counts • Null padding • “Poor man’s compression” • Signature cookie** 40

Slide 41

Slide 41 text

Putting it to use • qcfm_parse.py • 0: Dummy partition? • 1: Signature cookie • 2: IFS image • 3: System partition • 4: Dummy partition? 41

Slide 42

Slide 42 text

Getting our ﬁles out • System partition • Just mount it • IFS image • “dumpifs” • ifs_parse.py 42

Slide 43

Slide 43 text

PPS: “.all” the things • File permissions and POSIX ACLs lock down PPS 43

Slide 44

Slide 44 text

“.all” the things • Special “.all” PPS ﬁle aggregates contents of otherwise inaccessible sibling ﬁles 44

Slide 45

Slide 45 text

“.all” the things • The “.all” ﬁle leads to some interesting leaks...like nearby BSSIDs (could be used to locate a user) 45

Slide 46

Slide 46 text

“.all” the things • Or device identifying information, including device PIN 46

Slide 47

Slide 47 text

“.all” the things • Or the most recent Video Chat call 47

Slide 48

Slide 48 text

“.all” the things • So far, these may seem like silly examples, but are artifacts of a peculiar design decision... 48

Slide 49

Slide 49 text

Native Code • Native applications request permissions, too • Our ﬁrst PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49

Slide 50

Slide 50 text

Native Code • Currently nothing stops native code from doing even nastier things (sans ﬁlesystem or device permissions) 50

Slide 51

Slide 51 text

BlackBerry Bridge • Bridge allows you to “connect your BlackBerry® PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51

Slide 52

Slide 52 text

BlackBerry Bridge • Bridge PlayBook apps are special/gloriﬁed WebKit views • Apps connect to “SapphireProxy” on localhost • SapphireProxy connects to BB handset (via Bluetooth), interfaces with Bridge app on handset 52

Slide 53

Slide 53 text

BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53

Slide 54

Slide 54 text

“Bridging” The Gap • Once user has paired and “unlocked” Bridge, session token is available to anyone • Malicious app can steal via special PPS ﬁle, re-use /pps/system/sapphire/.all 54

Slide 55

Slide 55 text

“Bridging” The Gap 55 CVSS: 3.6 (per RIM)

Slide 56

Slide 56 text

BlackBerry Bridge RIM has since ﬁxed the PPS “.all” infoleak (TabletOS 2.0+) 56

Slide 57

Slide 57 text

“Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves as an open HTTP proxy • Proxied trafﬁc goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 57

Slide 58

Slide 58 text

App World • Purchase / download functionality (duh) • PlayBook and BBOS share a common interface • Asynchronous app purchase and download components 58

Slide 59

Slide 59 text

Hrmm... Consider the following requests: 59

Slide 60

Slide 60 text

Oh... • Sequential ﬁle names • No session management • A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 60

Slide 61

Slide 61 text

Save yourself $2 -- #6294155 61

Slide 62

Slide 62 text

App World • Evidently hosts all versions of all BBOS and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but signiﬁcant • RIM response 62

Slide 63

Slide 63 text

Web services • bozohttpd • “certmgr” • inetd • dtm-up.sh • WiFi vs USB 63

Slide 64

Slide 64 text

Web services • login.cgi • “dtmauth” • Token stored in a PPS object... 64

Slide 65

Slide 65 text

Web services • Legitimate but somewhat impractical • pf restrictions • Hurry up and wait Impractical, but not ineffective. 65

Slide 66

Slide 66 text

Web services • Help from Sapphire! • Snag dtmauth, proxy through BlackBerry handset (via Sapphire) 66

Slide 67

Slide 67 text

Web services 67

Slide 68

Slide 68 text

Additional Considerations 68

Slide 69

Slide 69 text

Samba • Desktop Manager • General file sharing • WiFi vs USB • x.509 certificates • Media PROTIP: leave file sharing disabled 69

Slide 70

Slide 70 text

Bridge: More to consider SapphireProxy startup arguments privesc will give you corporate intranet access 70

Slide 71

Slide 71 text

Bridge: More to consider • Bridge “Files” accesses BB handset storage...via WebDAV • Internal storage, SD card, camera images, etc. • FS perms controlled through group membership (1000_shared, which maps to access_shared app perm) 71

Slide 72

Slide 72 text

Bridge: More to consider • Permissions and leaks may be resolved, but these issues will resurface 72

Slide 73

Slide 73 text

Things to keep an eye on • System scripts • Python / shell • “cleanup” stuff • Android support (a lot of potentially kludgy glue) • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 73

Slide 74

Slide 74 text

Questions? • [email protected] https://twitter.com/quine • [email protected] https://twitter.com/bnull • http://github.com/intrepidusgroup/pbtools • FILL OUT THE SURVEY - http://surveymonkey.com/sourceboston12 Greetz: NickDe, HockeyInJune, jono, bliss, ddz, dguido, cstone #busticati, #painsec 74