Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No Apology Required: Deconstructing BB10

Zach Lanier
December 04, 2014

No Apology Required: Deconstructing BB10

Zach Lanier

December 04, 2014
Tweet

More Decks by Zach Lanier

Other Decks in Technology

Transcript

  1. No Apology Required
    Deconstructing BB10
    CanSecWest 2014

    View full-size slide

  2. Introduction
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level
    • Presentation is exploratory
    • Research is on-going
    • Focused mostly on
    methodology, less on
    findings
    • Feel free to chat after
    (since we may run out of
    time)
    • Title is because
    stereotypical Canadians
    apologize for everything

    View full-size slide

  3. Introduction
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level
    • Presentation is exploratory
    • Research is on-going
    • Focused mostly on
    methodology, less on
    findings
    • Feel free to chat after
    (since we may run out of
    time)
    • Title is because
    stereotypical Canadians
    apologize for everything

    View full-size slide

  4. Introduction
    Ben Nell

    bNull

    Sr. Security Consultant

    Accuvant Labs
    Zach Lanier

    quine

    Sr. Security Researcher

    Duo Security
    Presentation foul:

    <--- mixing memes --->

    View full-size slide

  5. Why this matters

    View full-size slide

  6. Why this matters

    View full-size slide

  7. Why this matters
    You’re an appsec consultant and your
    customer asks you if BlackBerry Balance
    solves BYOD

    View full-size slide

  8. Agenda
    • Previous Research
    • Platform Overview
    • Methodology
    • Attack Surface
    • Future Work

    View full-size slide

  9. Previous Research

    View full-size slide

  10. Our PlayBook stuff
    • Targeted predecessor of BB10
    — TabletOS on BB PlayBook
    • Discovered AuthZ token
    disclosure for Bridge/Balance
    (steal all the corporate data)
    • RE’d firmware
    • Mirrored all of AppWorld (steal
    all the premium apps)
    • And more...

    View full-size slide

  11. Our PlayBook stuff (cont’d)
    • Discovered that native apps
    can exec*() / spawn*() and
    open AF_INET sockets
    unfettered (no perm’s req’d)
    • Still true in BB10, but (even
    detached) child procs killed
    when app/parent ends
    • “Headless Apps” allow for
    background services, but
    special perms required
    • Granting of perms is
    contingent upon approval
    from RIM/BB signing
    service

    View full-size slide

  12. Others
    • Julio Cesar Fort’s QNX
    research
    • SEC Consult BB10 paper
    • RPW’s BB10 preso (BH
    USA ’13)
    • Tim Brown’s various
    QNX/TabletOS/BB10
    works

    View full-size slide

  13. Platform Overview

    View full-size slide

  14. Overview
    • ARM-based SoCs (Z10, Q10, and Z30
    all Snapdragon S4 SoC)
    • BB10 (based on QNX Neutrino RTOS
    8.0.0)
    • Major components (as of 10.2.1.1925):
    • WebKit (537.10 / 10.2.1.66)
    • Adobe Flash (11.1.121.199)
    • Adobe AIR (3.1.0.230)
    • BlackBerry Balance (isolated,
    corporate PIM)

    View full-size slide

  15. QNX
    • Microkernel, only truly trusted
    component
    • Userspace kernel and
    process manager - procnto
    • Separation of network,

    I/O, HMI, etc. into separate
    components
    • Messaging layer provides
    IPC (QNX message passing
    + POSIX IPC abstraction)
    • Prev. public bugs disclosed
    by Ilja van Sprundel, Tim
    Brown, Julio Cesar Fort,
    cenobite, and others

    View full-size slide

  16. Security Controls / Mitigations
    • OpenBSD NetBSD pf
    • POSIX (filesystem) ACLs
    • Compiler & linker protections for native
    apps
    • Usual suspects: XN, ASLR, ProPolice,
    PIE + full RELRO

    View full-size slide

  17. QDE/Momentics default build options

    View full-size slide

  18. Security Features
    • Blackberry Balance
    • Encrypted, FACL’d “container”
    • a.k.a. “perimeter”
    • BES policy enforcements
    • DISA STIGs guide these

    View full-size slide

  19. authman & permissions
    • authman service - maps app permissions
    to system resources
    • Filesystem permissions + POSIX ACLs, PF
    rules
    • Shell script and Python glue to bind it all
    together

    View full-size slide

  20. authman & permissions
    • /dev/authman: resource manager “dispatch”
    path (QNX IPC endpoint)
    • /etc/authman: configs
    • Pair of files (".res" & ".acl"), named for profile type

    View full-size slide

  21. authman & permissions
    • Controls access to
    app permissions
    (allow, prompt, deny)
    • Sets FACLs on
    filesystem objects
    based on app
    permission requested
    • Also sets process
    capabilities for certain
    permission types (e.g.
    “Headless apps”)

    View full-size slide

  22. authman & pf
    • authman handles
    setting up (app)
    GID:rule mapping
    • Ex: limiting access
    to SapphireProxy
    (for BB Bridge) on
    127.0.0.2

    View full-size slide

  23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000
    sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h
    W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet
    post_notification gain_oma_fl_group access_oma_fl_write_personal acce
    ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native
    permanent access_perimeter_personal'
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow execute
    Dec 06 01:53:04 5 41 0 authman: Applying execute
    Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera
    Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet
    Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_native
    Dec 06 01:53:04 5 41 0 authman: req:Allow permanent
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal
    Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control
    Dec 06 01:53:04 5 41 0 authman: Applying access_location_services
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control
    “Capabilities” based
    on permissions
    ACLs based on
    permissions
    pf rule(s)
    output from sloginfo (tool to print system log)

    View full-size slide

  24. PPS
    • “Persistent Publish / Subscribe”
    • Implemented by pps manager process
    • Simple interface for sharing data,
    notifications/eventing via filesystem objects

    View full-size slide

  25. IPC
    • IPC is key in QNX
    • “Message passing” & signals implemented
    in microkernel
    • Other IPC (POSIX-compatible) mechanisms
    implemented by manager processes
    Message passing
    Shared memory Pipes FIFOs
    Message copying Simple messages Channels
    Events
    (pulses, signals,
    unblocks)
    Typed memory
    Signals
    Kernel
    Kernel
    External
    process/manager

    View full-size slide

  26. Application Model
    • Native
    • WebWorks / Cordova
    • Adobe AIR
    • Android
    C/C++
    Flash/AS/
    HTML/JS
    HTML/JS
    Java/DEX
    20 app perms documented 340 unique app & sys perms observed

    View full-size slide

  27. Application Model
    • App processes run with same UIDs, but separate
    GIDs (incl. supplemental GIDs)
    • Apps have separate data stores/”sandboxes”
    • With Balance/corporate separation, additional data
    stores
    • Production apps are signed by BB/RIM signing server

    View full-size slide

  28. Our Approach to the
    Platform
    meth·od·ol·o·gy
    / ˌmeTHəәˈdäləәjē/
    ( )

    View full-size slide

  29. Testing Limitations

    View full-size slide

  30. Testing Limitations
    • General lack of enthusiasm for BB10 as a
    target
    • General lack of public information about
    the system
    • Effective security controls
    • We’re left looking at a black box

    View full-size slide

  31. OSINT
    Just ask the internet!

    View full-size slide

  32. OSINT
    Existing previous work
    • Our PlayBook work
    • SEC Consult paper
    • Works by RPW, Tim Brown,
    Julio Cesar Fort, etc.
    • Not a ton of stuff out there
    https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf

    View full-size slide

  33. OSINT
    QNX Foundry
    • Man pages for QNXisms
    • Downloads
    • Forums
    • Wiki
    • Google dorks are
    golden…

    View full-size slide

  34. OSINT
    Speaking of Google dorks…

    View full-size slide

  35. OSINT
    Some random RIM employee’s file dump?
    Upcoming product feature assessment
    hardware
    code names
    Upcoming project effort estimations/ release dates

    View full-size slide

  36. OSINT
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level Five
    Some random RIM employee’s file dump?
    Internal bug tracker
    internal URL

    View full-size slide

  37. OSINT
    Some random RIM employee’s file dump?
    Pre-release BB10 developer image for
    Winchester/PlayBook

    View full-size slide

  38. Dynamic Analysis
    Watch it work and try to understand “why”

    View full-size slide

  39. Dynamic Analysis
    RIM wants to get your hacking^Wdevelopment

    projects up and running as quickly as possible!
    Lots of SDK stuff, including a native SDK, giving us:
    • libc, libcurl, OpenSSL, V8,
    and tons more
    • Easy cross-compilation

    View full-size slide

  40. Dynamic Analysis
    Development Tools Sample code

    View full-size slide

  41. Dynamic Analysis
    Momentics target navigator
    Proc/thread mem info
    FS nav, etc.
    Controller app
    Controls NFC, Camera,
    geoloc, etc. for Simulator

    View full-size slide

  42. Dynamic Analysis
    • Momentics provides QNX-specific versions/
    builds of the typical toolchain
    • gdb
    • also objdump, nm, readelf, gcc, etc.

    View full-size slide

  43. Dynamic Analysis
    Blackberry Simulator QNX Software Dev Platform (SDP)
    • Gives us something similar
    to the real thing
    • We can have root access*
    • Access to tools relevant to
    the real thing
    • MDS Simulator
    • It’s like the non-official
    “platform” debug tool
    • A fully accessible QNX
    environment
    * - with a bit of work

    View full-size slide

  44. Dynamic Analysis
    Just another box on the network
    • Testing harness
    • Wireshark
    • Proxy (Burp and
    friends)
    • nmap
    • Various fizzers
    • Custom stuff

    View full-size slide

  45. Dynamic Analysis
    There are lots of network services
    BB10 network
    services

    View full-size slide

  46. Dynamic Analysis
    • Unsurprisingly, logs => info
    • slogger (app event logger) and slogger2 (system event logger)
    • Readable on simulator with sloginfo and slog2info
    • slog* devices not readable on device :(
    Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    for service "contacts"
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated
    accountId 4
    Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account
    for AccountKey = 4
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts/4
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts
    Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform
    Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform
    Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http://
    127.0.0.1:8888/accounts
    Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0

    View full-size slide

  47. Dynamic Analysis
    Debugging is a
    breeze

    View full-size slide

  48. Static Analysis
    For the things that can’t be watched

    View full-size slide

  49. Static Analysis
    Installation bundles
    • BAR format (hurr durr)
    • De-facto standard for any
    non-factory packages
    • META-INF directory
    • Code signatures and app
    info
    • “assets”
    % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar
    META-INF/MANIFEST.MF
    META-INF/AUTHOR.SF
    META-INF/AUTHOR.EC
    META-INF/RDK.SF
    META-INF/RDK.EC
    native/bar-descriptor.xml
    native/icon.png
    native/assets/main.qml
    native/qm/Gooby.qm
    native/Gooby.so
    native/GoobyService
    native/assets/.assets.index

    View full-size slide

  50. Static Analysis
    MANIFEST.MF: Package Meta Info

    View full-size slide

  51. Static Analysis
    MANIFEST.MF: Application Meta Info

    View full-size slide

  52. Static Analysis
    MANIFEST.MF: Entry Point Info

    View full-size slide

  53. Static Analysis
    MANIFEST.MF: Entry Point Info

    View full-size slide

  54. Static Analysis
    Getting Firmware
    • MITM the CDN downloads
    • The “community” has built
    some good tools
    http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/

    View full-size slide

  55. Static Analysis
    Getting Into the Firmware
    • “pbtools”
    • Mount the firmware in Simulator or SDP
    • SCP the files back out
    https://github.com/intrepidusgroup/pbtools

    View full-size slide

  56. Static Analysis
    Shell Scripts
    • /base/scripts/
    • Easy to read
    • grep-fu for great
    success!
    from “startup.sh”

    View full-size slide

  57. Static Analysis
    Python: For everything
    important on BB10 that isn’t
    written in bash
    • Most of it is compiled
    Python (bytecode;
    *.pyc)
    • unpyc3.py
    https://code.google.com/p/unpyc3/

    View full-size slide

  58. Static Analysis
    ActionScript
    • Decompile with Sothink / whatever
    • Most ActionScript apps handle front-end stuff
    qnx.AIRServices.ota.OtaUpdate

    View full-size slide

  59. Static Analysis
    Compiled binaries
    • IDA cleanly disassembles
    • ARM / x86
    • Without a public root,
    disassembly might be your
    best/only bet for dorking
    with many network services

    View full-size slide

  60. Attack Surface
    http://www.harkavagrant.com/?id=250

    View full-size slide

  61. Entry Points
    Where the device accepts data

    View full-size slide

  62. IPC
    • Numerous IPC endpoints available
    • QNX channels particularly
    caught our eye
    • Wrote some horrible IPC
    scanners / fuzzers
    • Problem: not always sure WTF is
    on the other end of a channel
    (or able to attach to channel but
    unable to send)
    • Also DoS’d/froze device multiple
    times during mass channel
    scans
    $ ./scanchan.py 643092
    Could not find platform independent libraries
    Consider setting $PYTHONHOME to [:]
    [+] PID: 643092 - Connected to channel: 2
    [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted
    $ ./fchan1.py 1019928 16
    [+] PID: 1019928 - Connected to channel: 16
    (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c
    \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0
    0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00|
    \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d
    \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u
    \x04\x00\x00\x00argsu\x06\x00\x00\x00…

    View full-size slide

  63. Network Services
    • Samba!
    • WWW!
    • WebDAV!
    • Proxies!
    • SSH!
    • Other stuff!

    View full-size slide

  64. Network Services
    Local-hosted CGI
    scripts are used for
    device management
    “stuff”
    • Backup & restore
    • Application installation
    • Device reset
    • Limited logging control
    • Limited PIM management
    • Enterprise registration
    • Etc

    View full-size slide

  65. WiFi
    • Many device management
    functions happen over HTTP/
    SMB with the option of
    operating over WiFi
    • Handset acts as an UPnP
    gateway
    • There are some real
    problematic areas observable
    over WiFi

    View full-size slide

  66. USB
    • Mass storage? Nay,
    Ethernet!
    • Similar to WiFi
    (WWW/SMB), with
    additional
    capabilities

    View full-size slide

  67. Bluetooth
    • Tether your handset to your
    tablet
    • SapphireProxy (get it?)
    • WebDAV
    • HTTP proxy
    • Protected by pf
    BlackBerry “Bridge” /
    SapphireProxy
    This service has had
    problems in the past… *
    * Barely recognizable BattleStar reference

    View full-size slide

  68. NFC
    It works and there are no security problems?
    • Haven’t really
    explored this
    ourselves.
    • Biggest concern
    likely bad NDEF
    message parsing by
    3rd party native
    apps

    View full-size slide

  69. Local Application
    • Malware / Client-
    side attacks
    • Insufficient controls
    on sensitive local
    file and network
    resources
    • Privilege
    escalations are like
    gold

    View full-size slide

  70. Balance
    • An attempt at solving BYOD
    • “Perimeters” manage the
    separation between personal
    and enterprise applications,
    data, and network resources
    • Enterprise perimeter security is
    controlled by BES and
    enforced locally

    View full-size slide

  71. Balance
    Concerned Consumer:
    Sounds great. How does it work?
    I am familiar with the iOS security
    model and might expect to see
    some sort of sandboxing
    technology to enforce this
    separation.

    View full-size slide

  72. Balance
    RIM:
    I don’t want to say that it’s
    all based on file
    permissions…
    …but it’s all based on file
    permissions

    View full-size slide

  73. TODO
    • Further (re-)exploration of...
    • authman
    • system IPC endpoints
    • Balance
    • Android support
    • Radio (NFC, Cell/BB, BT)
    • HDMI, USB

    View full-size slide

  74. Questions / Contact
    • https://twitter.com/quine

    [email protected]
    [email protected]
    • https://twitter.com/bnull

    [NO_EMAIL_PROVIDED]
    <--shameless plug

    View full-size slide