Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
Body Level Three • Body Level Four • Body Level • Presentation is exploratory • Research is on-going • Focused mostly on methodology, less on findings • Feel free to chat after (since we may run out of time) • Title is because stereotypical Canadians apologize for everything
on BB PlayBook • Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data) • RE’d firmware • Mirrored all of AppWorld (steal all the premium apps) • And more...
exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d) • Still true in BB10, but (even detached) child procs killed when app/parent ends • “Headless Apps” allow for background services, but special perms required • Granting of perms is contingent upon approval from RIM/BB signing service
and process manager - procnto • Separation of network, I/O, HMI, etc. into separate components • Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction) • Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
prompt, deny) • Sets FACLs on filesystem objects based on app permission requested • Also sets process capabilities for certain permission types (e.g. “Headless apps”)
separate GIDs (incl. supplemental GIDs) • Apps have separate data stores/”sandboxes” • With Balance/corporate separation, additional data stores • Production apps are signed by BB/RIM signing server
Consult paper • Works by RPW, Tim Brown, Julio Cesar Fort, etc. • Not a ton of stuff out there https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
and running as quickly as possible! Lots of SDK stuff, including a native SDK, giving us: • libc, libcurl, OpenSSL, V8, and tons more • Easy cross-compilation
Gives us something similar to the real thing • We can have root access* • Access to tools relevant to the real thing • MDS Simulator • It’s like the non-official “platform” debug tool • A fully accessible QNX environment * - with a bit of work
caught our eye • Wrote some horrible IPC scanners / fuzzers • Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send) • Also DoS’d/froze device multiple times during mass channel scans $ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted $ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0 0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00| \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u \x04\x00\x00\x00argsu\x06\x00\x00\x00…
(get it?) • WebDAV • HTTP proxy • Protected by pf BlackBerry “Bridge” / SapphireProxy This service has had problems in the past… * * Barely recognizable BattleStar reference
the separation between personal and enterprise applications, data, and network resources • Enterprise perimeter security is controlled by BES and enforced locally