Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No Apology Required: Deconstructing BB10

Zach Lanier
December 04, 2014

No Apology Required: Deconstructing BB10

Zach Lanier

December 04, 2014
Tweet

More Decks by Zach Lanier

Other Decks in Technology

Transcript

  1. No Apology Required
    Deconstructing BB10
    CanSecWest 2014

    View Slide

  2. Introduction
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level
    • Presentation is exploratory
    • Research is on-going
    • Focused mostly on
    methodology, less on
    findings
    • Feel free to chat after
    (since we may run out of
    time)
    • Title is because
    stereotypical Canadians
    apologize for everything

    View Slide

  3. Introduction
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level
    • Presentation is exploratory
    • Research is on-going
    • Focused mostly on
    methodology, less on
    findings
    • Feel free to chat after
    (since we may run out of
    time)
    • Title is because
    stereotypical Canadians
    apologize for everything

    View Slide

  4. Introduction
    Ben Nell

    bNull

    Sr. Security Consultant

    Accuvant Labs
    Zach Lanier

    quine

    Sr. Security Researcher

    Duo Security
    Presentation foul:

    <--- mixing memes --->

    View Slide

  5. Why this matters

    View Slide

  6. Why this matters

    View Slide

  7. Why this matters
    You’re an appsec consultant and your
    customer asks you if BlackBerry Balance
    solves BYOD

    View Slide

  8. Agenda
    • Previous Research
    • Platform Overview
    • Methodology
    • Attack Surface
    • Future Work

    View Slide

  9. Previous Research

    View Slide

  10. Our PlayBook stuff
    • Targeted predecessor of BB10
    — TabletOS on BB PlayBook
    • Discovered AuthZ token
    disclosure for Bridge/Balance
    (steal all the corporate data)
    • RE’d firmware
    • Mirrored all of AppWorld (steal
    all the premium apps)
    • And more...

    View Slide

  11. Our PlayBook stuff (cont’d)
    • Discovered that native apps
    can exec*() / spawn*() and
    open AF_INET sockets
    unfettered (no perm’s req’d)
    • Still true in BB10, but (even
    detached) child procs killed
    when app/parent ends
    • “Headless Apps” allow for
    background services, but
    special perms required
    • Granting of perms is
    contingent upon approval
    from RIM/BB signing
    service

    View Slide

  12. Others
    • Julio Cesar Fort’s QNX
    research
    • SEC Consult BB10 paper
    • RPW’s BB10 preso (BH
    USA ’13)
    • Tim Brown’s various
    QNX/TabletOS/BB10
    works

    View Slide

  13. Platform Overview

    View Slide

  14. Overview
    • ARM-based SoCs (Z10, Q10, and Z30
    all Snapdragon S4 SoC)
    • BB10 (based on QNX Neutrino RTOS
    8.0.0)
    • Major components (as of 10.2.1.1925):
    • WebKit (537.10 / 10.2.1.66)
    • Adobe Flash (11.1.121.199)
    • Adobe AIR (3.1.0.230)
    • BlackBerry Balance (isolated,
    corporate PIM)

    View Slide

  15. QNX
    • Microkernel, only truly trusted
    component
    • Userspace kernel and
    process manager - procnto
    • Separation of network,

    I/O, HMI, etc. into separate
    components
    • Messaging layer provides
    IPC (QNX message passing
    + POSIX IPC abstraction)
    • Prev. public bugs disclosed
    by Ilja van Sprundel, Tim
    Brown, Julio Cesar Fort,
    cenobite, and others

    View Slide

  16. Security Controls / Mitigations
    • OpenBSD NetBSD pf
    • POSIX (filesystem) ACLs
    • Compiler & linker protections for native
    apps
    • Usual suspects: XN, ASLR, ProPolice,
    PIE + full RELRO

    View Slide

  17. QDE/Momentics default build options

    View Slide

  18. Security Features
    • Blackberry Balance
    • Encrypted, FACL’d “container”
    • a.k.a. “perimeter”
    • BES policy enforcements
    • DISA STIGs guide these

    View Slide

  19. authman & permissions
    • authman service - maps app permissions
    to system resources
    • Filesystem permissions + POSIX ACLs, PF
    rules
    • Shell script and Python glue to bind it all
    together

    View Slide

  20. authman & permissions
    • /dev/authman: resource manager “dispatch”
    path (QNX IPC endpoint)
    • /etc/authman: configs
    • Pair of files (".res" & ".acl"), named for profile type

    View Slide

  21. authman & permissions
    • Controls access to
    app permissions
    (allow, prompt, deny)
    • Sets FACLs on
    filesystem objects
    based on app
    permission requested
    • Also sets process
    capabilities for certain
    permission types (e.g.
    “Headless apps”)

    View Slide

  22. authman & pf
    • authman handles
    setting up (app)
    GID:rule mapping
    • Ex: limiting access
    to SapphireProxy
    (for BB Bridge) on
    127.0.0.2

    View Slide

  23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000
    sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h
    W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet
    post_notification gain_oma_fl_group access_oma_fl_write_personal acce
    ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native
    permanent access_perimeter_personal'
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow execute
    Dec 06 01:53:04 5 41 0 authman: Applying execute
    Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera
    Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet
    Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_native
    Dec 06 01:53:04 5 41 0 authman: req:Allow permanent
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal
    Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control
    Dec 06 01:53:04 5 41 0 authman: Applying access_location_services
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control
    “Capabilities” based
    on permissions
    ACLs based on
    permissions
    pf rule(s)
    output from sloginfo (tool to print system log)

    View Slide

  24. PPS
    • “Persistent Publish / Subscribe”
    • Implemented by pps manager process
    • Simple interface for sharing data,
    notifications/eventing via filesystem objects

    View Slide

  25. IPC
    • IPC is key in QNX
    • “Message passing” & signals implemented
    in microkernel
    • Other IPC (POSIX-compatible) mechanisms
    implemented by manager processes
    Message passing
    Shared memory Pipes FIFOs
    Message copying Simple messages Channels
    Events
    (pulses, signals,
    unblocks)
    Typed memory
    Signals
    Kernel
    Kernel
    External
    process/manager

    View Slide

  26. Application Model
    • Native
    • WebWorks / Cordova
    • Adobe AIR
    • Android
    C/C++
    Flash/AS/
    HTML/JS
    HTML/JS
    Java/DEX
    20 app perms documented 340 unique app & sys perms observed

    View Slide

  27. Application Model
    • App processes run with same UIDs, but separate
    GIDs (incl. supplemental GIDs)
    • Apps have separate data stores/”sandboxes”
    • With Balance/corporate separation, additional data
    stores
    • Production apps are signed by BB/RIM signing server

    View Slide

  28. Our Approach to the
    Platform
    meth·od·ol·o·gy
    / ˌmeTHəәˈdäləәjē/
    ( )

    View Slide

  29. Testing Limitations

    View Slide

  30. Testing Limitations
    • General lack of enthusiasm for BB10 as a
    target
    • General lack of public information about
    the system
    • Effective security controls
    • We’re left looking at a black box

    View Slide

  31. OSINT
    Just ask the internet!

    View Slide

  32. OSINT
    Existing previous work
    • Our PlayBook work
    • SEC Consult paper
    • Works by RPW, Tim Brown,
    Julio Cesar Fort, etc.
    • Not a ton of stuff out there
    https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

    View Slide

  33. OSINT
    QNX Foundry
    • Man pages for QNXisms
    • Downloads
    • Forums
    • Wiki
    • Google dorks are
    golden…

    View Slide

  34. OSINT
    Speaking of Google dorks…

    View Slide

  35. OSINT
    Some random RIM employee’s file dump?
    Upcoming product feature assessment
    hardware
    code names
    Upcoming project effort estimations/ release dates

    View Slide

  36. OSINT
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level Five
    Some random RIM employee’s file dump?
    Internal bug tracker
    internal URL

    View Slide

  37. OSINT
    Some random RIM employee’s file dump?
    Pre-release BB10 developer image for
    Winchester/PlayBook

    View Slide

  38. Dynamic Analysis
    Watch it work and try to understand “why”

    View Slide

  39. Dynamic Analysis
    RIM wants to get your hacking^Wdevelopment

    projects up and running as quickly as possible!
    Lots of SDK stuff, including a native SDK, giving us:
    • libc, libcurl, OpenSSL, V8,
    and tons more
    • Easy cross-compilation

    View Slide

  40. Dynamic Analysis
    Development Tools Sample code

    View Slide

  41. Dynamic Analysis
    Momentics target navigator
    Proc/thread mem info
    FS nav, etc.
    Controller app
    Controls NFC, Camera,
    geoloc, etc. for Simulator

    View Slide

  42. Dynamic Analysis
    • Momentics provides QNX-specific versions/
    builds of the typical toolchain
    • gdb
    • also objdump, nm, readelf, gcc, etc.

    View Slide

  43. Dynamic Analysis
    Blackberry Simulator QNX Software Dev Platform (SDP)
    • Gives us something similar
    to the real thing
    • We can have root access*
    • Access to tools relevant to
    the real thing
    • MDS Simulator
    • It’s like the non-official
    “platform” debug tool
    • A fully accessible QNX
    environment
    * - with a bit of work

    View Slide

  44. Dynamic Analysis
    Just another box on the network
    • Testing harness
    • Wireshark
    • Proxy (Burp and
    friends)
    • nmap
    • Various fizzers
    • Custom stuff

    View Slide

  45. Dynamic Analysis
    There are lots of network services
    BB10 network
    services

    View Slide

  46. View Slide

  47. Dynamic Analysis
    • Unsurprisingly, logs => info
    • slogger (app event logger) and slogger2 (system event logger)
    • Readable on simulator with sloginfo and slog2info
    • slog* devices not readable on device :(
    Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    for service "contacts"
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated
    accountId 4
    Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account
    for AccountKey = 4
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts/4
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts
    Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform
    Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform
    Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http://
    127.0.0.1:8888/accounts
    Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0

    View Slide

  48. Dynamic Analysis
    Debugging is a
    breeze

    View Slide

  49. Target
    Host

    View Slide

  50. Fuzzing…

    View Slide

  51. Static Analysis
    For the things that can’t be watched

    View Slide

  52. Static Analysis
    Installation bundles
    • BAR format (hurr durr)
    • De-facto standard for any
    non-factory packages
    • META-INF directory
    • Code signatures and app
    info
    • “assets”
    % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar
    META-INF/MANIFEST.MF
    META-INF/AUTHOR.SF
    META-INF/AUTHOR.EC
    META-INF/RDK.SF
    META-INF/RDK.EC
    native/bar-descriptor.xml
    native/icon.png
    native/assets/main.qml
    native/qm/Gooby.qm
    native/Gooby.so
    native/GoobyService
    native/assets/.assets.index

    View Slide

  53. Static Analysis
    MANIFEST.MF: Package Meta Info

    View Slide

  54. Static Analysis
    MANIFEST.MF: Application Meta Info

    View Slide

  55. Static Analysis
    MANIFEST.MF: Entry Point Info

    View Slide

  56. Static Analysis
    MANIFEST.MF: Entry Point Info

    View Slide

  57. Static Analysis
    Getting Firmware
    • MITM the CDN downloads
    • The “community” has built
    some good tools
    http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

    View Slide

  58. Static Analysis
    Getting Into the Firmware
    • “pbtools”
    • Mount the firmware in Simulator or SDP
    • SCP the files back out
    https://github.com/intrepidusgroup/pbtools

    View Slide

  59. Static Analysis
    Shell Scripts
    • /base/scripts/
    • Easy to read
    • grep-fu for great
    success!
    from “startup.sh”

    View Slide

  60. Static Analysis
    Python: For everything
    important on BB10 that isn’t
    written in bash
    • Most of it is compiled
    Python (bytecode;
    *.pyc)
    • unpyc3.py
    https://code.google.com/p/unpyc3/

    View Slide

  61. Static Analysis
    ActionScript
    • Decompile with Sothink / whatever
    • Most ActionScript apps handle front-end stuff
    qnx.AIRServices.ota.OtaUpdate

    View Slide

  62. Static Analysis
    Compiled binaries
    • IDA cleanly disassembles
    • ARM / x86
    • Without a public root,
    disassembly might be your
    best/only bet for dorking
    with many network services

    View Slide

  63. Attack Surface
    http://www.harkavagrant.com/?id=250

    View Slide

  64. Entry Points
    Where the device accepts data

    View Slide

  65. IPC
    • Numerous IPC endpoints available
    • QNX channels particularly
    caught our eye
    • Wrote some horrible IPC
    scanners / fuzzers
    • Problem: not always sure WTF is
    on the other end of a channel
    (or able to attach to channel but
    unable to send)
    • Also DoS’d/froze device multiple
    times during mass channel
    scans
    $ ./scanchan.py 643092
    Could not find platform independent libraries
    Consider setting $PYTHONHOME to [:]
    [+] PID: 643092 - Connected to channel: 2
    [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted
    $ ./fchan1.py 1019928 16
    [+] PID: 1019928 - Connected to channel: 16
    (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c
    \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0
    0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00|
    \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d
    \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u
    \x04\x00\x00\x00argsu\x06\x00\x00\x00…

    View Slide

  66. Network Services
    • Samba!
    • WWW!
    • WebDAV!
    • Proxies!
    • SSH!
    • Other stuff!

    View Slide

  67. Network Services
    Local-hosted CGI
    scripts are used for
    device management
    “stuff”
    • Backup & restore
    • Application installation
    • Device reset
    • Limited logging control
    • Limited PIM management
    • Enterprise registration
    • Etc

    View Slide

  68. WiFi
    • Many device management
    functions happen over HTTP/
    SMB with the option of
    operating over WiFi
    • Handset acts as an UPnP
    gateway
    • There are some real
    problematic areas observable
    over WiFi

    View Slide

  69. USB
    • Mass storage? Nay,
    Ethernet!
    • Similar to WiFi
    (WWW/SMB), with
    additional
    capabilities

    View Slide

  70. Bluetooth
    • Tether your handset to your
    tablet
    • SapphireProxy (get it?)
    • WebDAV
    • HTTP proxy
    • Protected by pf
    BlackBerry “Bridge” /
    SapphireProxy
    This service has had
    problems in the past… *
    * Barely recognizable BattleStar reference

    View Slide

  71. NFC
    It works and there are no security problems?
    • Haven’t really
    explored this
    ourselves.
    • Biggest concern
    likely bad NDEF
    message parsing by
    3rd party native
    apps

    View Slide

  72. Local Application
    • Malware / Client-
    side attacks
    • Insufficient controls
    on sensitive local
    file and network
    resources
    • Privilege
    escalations are like
    gold

    View Slide

  73. Balance
    • An attempt at solving BYOD
    • “Perimeters” manage the
    separation between personal
    and enterprise applications,
    data, and network resources
    • Enterprise perimeter security is
    controlled by BES and
    enforced locally

    View Slide

  74. Balance
    Concerned Consumer:
    Sounds great. How does it work?
    I am familiar with the iOS security
    model and might expect to see
    some sort of sandboxing
    technology to enforce this
    separation.

    View Slide

  75. Balance
    RIM:
    I don’t want to say that it’s
    all based on file
    permissions…
    …but it’s all based on file
    permissions

    View Slide

  76. Future Work

    View Slide

  77. TODO
    • Further (re-)exploration of...
    • authman
    • system IPC endpoints
    • Balance
    • Android support
    • Radio (NFC, Cell/BB, BT)
    • HDMI, USB

    View Slide

  78. Conclusion

    View Slide

  79. Questions / Contact
    • https://twitter.com/quine

    [email protected]
    [email protected]
    • https://twitter.com/bnull

    [NO_EMAIL_PROVIDED]
    <--shameless plug

    View Slide