No Apology Required: Deconstructing BB10

Transcript

1. No Apology Required
   Deconstructing BB10
   CanSecWest 2014
   

   View Slide

2. Introduction
   • Body Level One
   • Body Level Two
   • Body Level Three
   • Body Level Four
   • Body Level
   • Presentation is exploratory
   • Research is on-going
   • Focused mostly on
   methodology, less on
   findings
   • Feel free to chat after
   (since we may run out of
   time)
   • Title is because
   stereotypical Canadians
   apologize for everything
   

   View Slide

3. Introduction
   • Body Level One
   • Body Level Two
   • Body Level Three
   • Body Level Four
   • Body Level
   • Presentation is exploratory
   • Research is on-going
   • Focused mostly on
   methodology, less on
   findings
   • Feel free to chat after
   (since we may run out of
   time)
   • Title is because
   stereotypical Canadians
   apologize for everything
   

   View Slide

4. Introduction
   Ben Nell

   bNull

   Sr. Security Consultant

   Accuvant Labs
   Zach Lanier

   quine

   Sr. Security Researcher

   Duo Security
   Presentation foul:

   <--- mixing memes --->
   

   View Slide

5. Why this matters
   

   View Slide

6. Why this matters
   

   View Slide

7. Why this matters
   You’re an appsec consultant and your
   customer asks you if BlackBerry Balance
   solves BYOD
   

   View Slide

8. Agenda
   • Previous Research
   • Platform Overview
   • Methodology
   • Attack Surface
   • Future Work
   

   View Slide

9. Previous Research
   

   View Slide

10. Our PlayBook stuff
    • Targeted predecessor of BB10
    — TabletOS on BB PlayBook
    • Discovered AuthZ token
    disclosure for Bridge/Balance
    (steal all the corporate data)
    • RE’d firmware
    • Mirrored all of AppWorld (steal
    all the premium apps)
    • And more...
    

    View Slide

11. Our PlayBook stuff (cont’d)
    • Discovered that native apps
    can exec*() / spawn*() and
    open AF_INET sockets
    unfettered (no perm’s req’d)
    • Still true in BB10, but (even
    detached) child procs killed
    when app/parent ends
    • “Headless Apps” allow for
    background services, but
    special perms required
    • Granting of perms is
    contingent upon approval
    from RIM/BB signing
    service
    

    View Slide

12. Others
    • Julio Cesar Fort’s QNX
    research
    • SEC Consult BB10 paper
    • RPW’s BB10 preso (BH
    USA ’13)
    • Tim Brown’s various
    QNX/TabletOS/BB10
    works
    

    View Slide

13. Platform Overview
    

    View Slide

14. Overview
    • ARM-based SoCs (Z10, Q10, and Z30
    all Snapdragon S4 SoC)
    • BB10 (based on QNX Neutrino RTOS
    8.0.0)
    • Major components (as of 10.2.1.1925):
    • WebKit (537.10 / 10.2.1.66)
    • Adobe Flash (11.1.121.199)
    • Adobe AIR (3.1.0.230)
    • BlackBerry Balance (isolated,
    corporate PIM)
    

    View Slide

15. QNX
    • Microkernel, only truly trusted
    component
    • Userspace kernel and
    process manager - procnto
    • Separation of network,

    I/O, HMI, etc. into separate
    components
    • Messaging layer provides
    IPC (QNX message passing
    + POSIX IPC abstraction)
    • Prev. public bugs disclosed
    by Ilja van Sprundel, Tim
    Brown, Julio Cesar Fort,
    cenobite, and others
    

    View Slide

16. Security Controls / Mitigations
    • OpenBSD NetBSD pf
    • POSIX (filesystem) ACLs
    • Compiler & linker protections for native
    apps
    • Usual suspects: XN, ASLR, ProPolice,
    PIE + full RELRO
    

    View Slide

17. QDE/Momentics default build options
    

    View Slide

18. Security Features
    • Blackberry Balance
    • Encrypted, FACL’d “container”
    • a.k.a. “perimeter”
    • BES policy enforcements
    • DISA STIGs guide these
    

    View Slide

19. authman & permissions
    • authman service - maps app permissions
    to system resources
    • Filesystem permissions + POSIX ACLs, PF
    rules
    • Shell script and Python glue to bind it all
    together
    

    View Slide

20. authman & permissions
    • /dev/authman: resource manager “dispatch”
    path (QNX IPC endpoint)
    • /etc/authman: configs
    • Pair of files (".res" & ".acl"), named for profile type
    

    View Slide

21. authman & permissions
    • Controls access to
    app permissions
    (allow, prompt, deny)
    • Sets FACLs on
    filesystem objects
    based on app
    permission requested
    • Also sets process
    capabilities for certain
    permission types (e.g.
    “Headless apps”)
    

    View Slide

22. authman & pf
    • authman handles
    setting up (app)
    GID:rule mapping
    • Ex: limiting access
    to SapphireProxy
    (for BB Bridge) on
    127.0.0.2
    

    View Slide

23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000
    sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h
    W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet
    post_notification gain_oma_fl_group access_oma_fl_write_personal acce
    ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native
    permanent access_perimeter_personal'
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow execute
    Dec 06 01:53:04 5 41 0 authman: Applying execute
    Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000
    Dec 06 01:53:04 5 41 0 authman: Requested caps:
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera
    Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet
    Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service
    Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited
    Dec 06 01:53:04 5 41 0 authman: req:Allow run_native
    Dec 06 01:53:04 5 41 0 authman: req:Allow permanent
    Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal
    Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded
    Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control
    Dec 06 01:53:04 5 41 0 authman: Applying access_location_services
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor
    Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control
    “Capabilities” based
    on permissions
    ACLs based on
    permissions
    pf rule(s)
    output from sloginfo (tool to print system log)
    

    View Slide

24. PPS
    • “Persistent Publish / Subscribe”
    • Implemented by pps manager process
    • Simple interface for sharing data,
    notifications/eventing via filesystem objects
    

    View Slide

25. IPC
    • IPC is key in QNX
    • “Message passing” & signals implemented
    in microkernel
    • Other IPC (POSIX-compatible) mechanisms
    implemented by manager processes
    Message passing
    Shared memory Pipes FIFOs
    Message copying Simple messages Channels
    Events
    (pulses, signals,
    unblocks)
    Typed memory
    Signals
    Kernel
    Kernel
    External
    process/manager
    

    View Slide

26. Application Model
    • Native
    • WebWorks / Cordova
    • Adobe AIR
    • Android
    C/C++
    Flash/AS/
    HTML/JS
    HTML/JS
    Java/DEX
    20 app perms documented 340 unique app & sys perms observed
    

    View Slide

27. Application Model
    • App processes run with same UIDs, but separate
    GIDs (incl. supplemental GIDs)
    • Apps have separate data stores/”sandboxes”
    • With Balance/corporate separation, additional data
    stores
    • Production apps are signed by BB/RIM signing server
    

    View Slide

28. Our Approach to the
    Platform
    meth·od·ol·o·gy
    / ˌmeTHəәˈdäləәjē/
    ( )
    

    View Slide

29. Testing Limitations
    

    View Slide

30. Testing Limitations
    • General lack of enthusiasm for BB10 as a
    target
    • General lack of public information about
    the system
    • Effective security controls
    • We’re left looking at a black box
    

    View Slide

31. OSINT
    Just ask the internet!
    

    View Slide

32. OSINT
    Existing previous work
    • Our PlayBook work
    • SEC Consult paper
    • Works by RPW, Tim Brown,
    Julio Cesar Fort, etc.
    • Not a ton of stuff out there
    https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
    

    View Slide

33. OSINT
    QNX Foundry
    • Man pages for QNXisms
    • Downloads
    • Forums
    • Wiki
    • Google dorks are
    golden…
    

    View Slide

34. OSINT
    Speaking of Google dorks…
    

    View Slide

35. OSINT
    Some random RIM employee’s file dump?
    Upcoming product feature assessment
    hardware
    code names
    Upcoming project effort estimations/ release dates
    

    View Slide

36. OSINT
    • Body Level One
    • Body Level Two
    • Body Level Three
    • Body Level Four
    • Body Level Five
    Some random RIM employee’s file dump?
    Internal bug tracker
    internal URL
    

    View Slide

37. OSINT
    Some random RIM employee’s file dump?
    Pre-release BB10 developer image for
    Winchester/PlayBook
    

    View Slide

38. Dynamic Analysis
    Watch it work and try to understand “why”
    

    View Slide

39. Dynamic Analysis
    RIM wants to get your hacking^Wdevelopment

    projects up and running as quickly as possible!
    Lots of SDK stuff, including a native SDK, giving us:
    • libc, libcurl, OpenSSL, V8,
    and tons more
    • Easy cross-compilation
    

    View Slide

40. Dynamic Analysis
    Development Tools Sample code
    

    View Slide

41. Dynamic Analysis
    Momentics target navigator
    Proc/thread mem info
    FS nav, etc.
    Controller app
    Controls NFC, Camera,
    geoloc, etc. for Simulator
    

    View Slide

42. Dynamic Analysis
    • Momentics provides QNX-specific versions/
    builds of the typical toolchain
    • gdb
    • also objdump, nm, readelf, gcc, etc.
    

    View Slide

43. Dynamic Analysis
    Blackberry Simulator QNX Software Dev Platform (SDP)
    • Gives us something similar
    to the real thing
    • We can have root access*
    • Access to tools relevant to
    the real thing
    • MDS Simulator
    • It’s like the non-official
    “platform” debug tool
    • A fully accessible QNX
    environment
    * - with a bit of work
    

    View Slide

44. Dynamic Analysis
    Just another box on the network
    • Testing harness
    • Wireshark
    • Proxy (Burp and
    friends)
    • nmap
    • Various fizzers
    • Custom stuff
    

    View Slide

45. Dynamic Analysis
    There are lots of network services
    BB10 network
    services
    

    View Slide

46. View Slide

47. Dynamic Analysis
    • Unsurprisingly, logs => info
    • slogger (app event logger) and slogger2 (system event logger)
    • Readable on simulator with sloginfo and slog2info
    • slog* devices not readable on device :(
    Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    for service "contacts"
    Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts
    Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated
    accountId 4
    Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account
    for AccountKey = 4
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13
    Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts/4
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1
    Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/
    accounts
    Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform
    Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform
    Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http://
    127.0.0.1:8888/accounts
    Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0
    

    View Slide

48. Dynamic Analysis
    Debugging is a
    breeze
    

    View Slide

49. Target
    Host
    

    View Slide

50. Fuzzing…
    

    View Slide

51. Static Analysis
    For the things that can’t be watched
    

    View Slide

52. Static Analysis
    Installation bundles
    • BAR format (hurr durr)
    • De-facto standard for any
    non-factory packages
    • META-INF directory
    • Code signatures and app
    info
    • “assets”
    % zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar
    META-INF/MANIFEST.MF
    META-INF/AUTHOR.SF
    META-INF/AUTHOR.EC
    META-INF/RDK.SF
    META-INF/RDK.EC
    native/bar-descriptor.xml
    native/icon.png
    native/assets/main.qml
    native/qm/Gooby.qm
    native/Gooby.so
    native/GoobyService
    native/assets/.assets.index
    

    View Slide

53. Static Analysis
    MANIFEST.MF: Package Meta Info
    

    View Slide

54. Static Analysis
    MANIFEST.MF: Application Meta Info
    

    View Slide

55. Static Analysis
    MANIFEST.MF: Entry Point Info
    

    View Slide

56. Static Analysis
    MANIFEST.MF: Entry Point Info
    

    View Slide

57. Static Analysis
    Getting Firmware
    • MITM the CDN downloads
    • The “community” has built
    some good tools
    http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
    

    View Slide

58. Static Analysis
    Getting Into the Firmware
    • “pbtools”
    • Mount the firmware in Simulator or SDP
    • SCP the files back out
    https://github.com/intrepidusgroup/pbtools
    

    View Slide

59. Static Analysis
    Shell Scripts
    • /base/scripts/
    • Easy to read
    • grep-fu for great
    success!
    from “startup.sh”
    

    View Slide

60. Static Analysis
    Python: For everything
    important on BB10 that isn’t
    written in bash
    • Most of it is compiled
    Python (bytecode;
    *.pyc)
    • unpyc3.py
    https://code.google.com/p/unpyc3/
    

    View Slide

61. Static Analysis
    ActionScript
    • Decompile with Sothink / whatever
    • Most ActionScript apps handle front-end stuff
    qnx.AIRServices.ota.OtaUpdate
    

    View Slide

62. Static Analysis
    Compiled binaries
    • IDA cleanly disassembles
    • ARM / x86
    • Without a public root,
    disassembly might be your
    best/only bet for dorking
    with many network services
    

    View Slide

63. Attack Surface
    http://www.harkavagrant.com/?id=250
    

    View Slide

64. Entry Points
    Where the device accepts data
    

    View Slide

65. IPC
    • Numerous IPC endpoints available
    • QNX channels particularly
    caught our eye
    • Wrote some horrible IPC
    scanners / fuzzers
    • Problem: not always sure WTF is
    on the other end of a channel
    (or able to attach to channel but
    unable to send)
    • Also DoS’d/froze device multiple
    times during mass channel
    scans
    $ ./scanchan.py 643092
    Could not find platform independent libraries
    Consider setting $PYTHONHOME to [:]
    [+] PID: 643092 - Connected to channel: 2
    [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted
    $ ./fchan1.py 1019928 16
    [+] PID: 1019928 - Connected to channel: 16
    (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c
    \x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x0
    0\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00|
    \x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d
    \x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u
    \x04\x00\x00\x00argsu\x06\x00\x00\x00…
    

    View Slide

66. Network Services
    • Samba!
    • WWW!
    • WebDAV!
    • Proxies!
    • SSH!
    • Other stuff!
    

    View Slide

67. Network Services
    Local-hosted CGI
    scripts are used for
    device management
    “stuff”
    • Backup & restore
    • Application installation
    • Device reset
    • Limited logging control
    • Limited PIM management
    • Enterprise registration
    • Etc
    

    View Slide

68. WiFi
    • Many device management
    functions happen over HTTP/
    SMB with the option of
    operating over WiFi
    • Handset acts as an UPnP
    gateway
    • There are some real
    problematic areas observable
    over WiFi
    

    View Slide

69. USB
    • Mass storage? Nay,
    Ethernet!
    • Similar to WiFi
    (WWW/SMB), with
    additional
    capabilities
    

    View Slide

70. Bluetooth
    • Tether your handset to your
    tablet
    • SapphireProxy (get it?)
    • WebDAV
    • HTTP proxy
    • Protected by pf
    BlackBerry “Bridge” /
    SapphireProxy
    This service has had
    problems in the past… *
    * Barely recognizable BattleStar reference
    

    View Slide

71. NFC
    It works and there are no security problems?
    • Haven’t really
    explored this
    ourselves.
    • Biggest concern
    likely bad NDEF
    message parsing by
    3rd party native
    apps
    

    View Slide

72. Local Application
    • Malware / Client-
    side attacks
    • Insufficient controls
    on sensitive local
    file and network
    resources
    • Privilege
    escalations are like
    gold
    

    View Slide

73. Balance
    • An attempt at solving BYOD
    • “Perimeters” manage the
    separation between personal
    and enterprise applications,
    data, and network resources
    • Enterprise perimeter security is
    controlled by BES and
    enforced locally
    

    View Slide

74. Balance
    Concerned Consumer:
    Sounds great. How does it work?
    I am familiar with the iOS security
    model and might expect to see
    some sort of sandboxing
    technology to enforce this
    separation.
    

    View Slide

75. Balance
    RIM:
    I don’t want to say that it’s
    all based on file
    permissions…
    …but it’s all based on file
    permissions
    

    View Slide

76. Future Work
    

    View Slide

77. TODO
    • Further (re-)exploration of...
    • authman
    • system IPC endpoints
    • Balance
    • Android support
    • Radio (NFC, Cell/BB, BT)
    • HDMI, USB
    

    View Slide

78. Conclusion
    

    View Slide

79. Questions / Contact
    • https://twitter.com/quine

    [email protected]

    [email protected]

    • https://twitter.com/bnull

    [NO_EMAIL_PROVIDED]
    <--shameless plug
    

    View Slide