Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Voight-Kampff'ing The BlackBerry PlayBook (v1)

Zach Lanier
January 12, 2012

Voight-Kampff'ing The BlackBerry PlayBook (v1)

"Voight-Kampff'ing The BlackBerry PlayBook", presented by Zach Lanier and Ben Nell at INFILTRATE 2012 (http://www.infiltratecon.com/speakers.html#lanier)

Zach Lanier

January 12, 2012
Tweet

More Decks by Zach Lanier

Other Decks in Research

Transcript

  1. Voight-Kampff'ing
    The BlackBerry PlayBook
    Zach Lanier and Ben Nell
    1

    View full-size slide

  2. Introduction
    Zach Lanier
    Principal Consultant
    Ben Nell
    Consultant
    2

    View full-size slide

  3. Why this matters
    • New, different platform
    • PlayBook targets enterprises
    • Designed to separate “personal” apps/data
    from “corporate” apps/data
    3
    ...and we can steal that corporate data

    View full-size slide

  4. Agenda
    • Platform Overview
    • Application Overview
    • Methodology
    • Research Findings
    • Additional Considerations
    4

    View full-size slide

  5. “He say you Blade
    Runner...”
    • Deckard hunts Replicants
    (he’s an *android killer*)
    • PlayBook codename =
    “Deckard”
    • Voight-Kampff machine
    for interrogation
    • Hence the theme
    5

    View full-size slide

  6. Platform Overview
    6

    View full-size slide

  7. Platform Overview
    • TI OMAP4430 (dual-core ARM Cortex A9)
    • TabletOS (based on QNX Neutrino RTOS v6.6)
    • Major components:
    • WebKit (534.11 / Safari 7.1.0.7)
    • Adobe Flash (11.1)
    • Adobe AIR (3.1)
    • BlackBerry Bridge (connects to BB handheld for sync’ing
    email, contacts, calendar, etc.)
    • Use case: corporate user with existing BB handset
    7

    View full-size slide

  8. QNX
    • Microkernel, only truly
    trusted component
    • Separation of network, I/O,
    HMI, etc. into separate
    components
    • Trusted boot process
    • ASLR
    8

    View full-size slide

  9. Dingleberry
    • PlayBook jailbreak / root
    privesc released in Dec. 2011
    • Discovered by @xpvqs and
    @neuralic, packaged by
    @cmwdotme
    • Issue (tl;dr): backups aren’t
    signed; jailbreak process
    creates custom backup,
    restores overwriting
    smb.conf; Samba then
    executes scripts as root
    9

    View full-size slide

  10. Security Controls
    • OpenBSD pf
    • POSIX (filesystem) ACLs
    • Compiler & linker protections for native
    apps
    • ProPolice, PIE, full RELRO
    • ASLR
    10

    View full-size slide

  11. PPS
    • “Persistent Publish / Subscribe”
    • Simple interface for sharing data, notifications via filesystem
    objects
    • Example: monitoring network interface state
    11

    View full-size slide

  12. authman & permissions
    • authman service - maps app permissions to
    system resources
    • Filesystem permissions + POSIX ACLs, PF
    rules
    • Shell script and Python glue to bind it all
    together
    12

    View full-size slide

  13. authman & permissions
    • /etc/authman: configs
    • Pair of files (".res" &
    ".acl"), named for profile
    type
    • carrier.acl?
    • /dev/authman: resource
    manager “dispatch” path
    13

    View full-size slide

  14. authman & permissions
    • Controls access to app
    permissions (allow,
    prompt, deny)
    • Sets FACLs on
    filesystem objects based
    on app permission
    requested
    14

    View full-size slide

  15. authman & pf
    • authman handles setting
    up (app) GID:rule
    mapping
    • Ex: limiting access to
    SapphireProxy (for BB
    Bridge) on 127.0.0.2
    15

    View full-size slide

  16. Application Overview
    16

    View full-size slide

  17. PlayBook applications
    • BlackBerry + JAR = ???
    • Normal JAR structures
    • Entry point
    • AIR and ELF / Dalvik and Python
    17

    View full-size slide

  18. PlayBook applications
    • Native applications
    • Entry points interpreted as shell commands
    • ENV variables, shell scripts, etc
    • AIR applications
    • Interface compiled libraries (i.e. UI stuff)
    • Can be packaged with ELF libraries
    18

    View full-size slide

  19. App Permissions
    Documented (8) Observed (48)
    19

    View full-size slide

  20. Side Note: Adobe
    Reader
    • permiter_corp?
    • run_air_native?
    20

    View full-size slide

  21. Methodology
    21

    View full-size slide

  22. Development mode
    • SDK tools / side-load
    applications
    • Unprivileged shell access
    • Automatic session
    expiration
    22

    View full-size slide

  23. Development mode
    • “appInstaller.cgi”
    • Install / launch apps
    • Enumerate apps
    • Terminate apps
    23

    View full-size slide

  24. Development mode
    • “qconnDoor”
    • Limited SSH
    access
    • Private key
    authentication
    24

    View full-size slide

  25. Exploring TabletOS
    • QNX Software Dev
    Platform (SDP)
    • PlayBook Simulator
    • Wealth of QNX
    documentation
    • Firmware images
    • SDK / NDK
    • Source code?
    25

    View full-size slide

  26. Research Findings
    26

    View full-size slide

  27. System updates
    • Signed packages (SHA1, SHA256, SHA512)
    • Three stage process:
    • Poll available update bundles (HTTPS)
    • Request download info for a specific
    bundle (HTTPS)
    • Download and install individual packages
    (HTTP)
    27

    View full-size slide

  28. Poll available bundles
    Bundle request
    28

    View full-size slide

  29. System updates:
    So what?
    • Control the version of software running on
    a device
    • Extract TabletOS file system
    • Reverse engineer system stuff
    • Diff changes between versions
    29

    View full-size slide

  30. System updates:
    MITM
    • x.509 checks were not originally enforced
    • 1.0.1
    • 1.0.3
    • Downgrades probably not possible
    • Control version of out-of-the-box devices
    • Cannot be fixed in a software update
    30

    View full-size slide

  31. System updates:
    MITM
    31
    (obviously)

    View full-size slide

  32. System updates:
    OOB bundle download
    • Available bundle versions
    • “X-Encryption-Id”
    • package_get.py
    • Brute-forcing unreleased versions?
    32

    View full-size slide

  33. Firmware reversing
    • BAR package
    qcfm-os-factory-.bwrap.signed
    • Interesting-looking binary glob
    • Raw partitions?
    • File carving?
    • MFCQ/QCFP headers?
    33

    View full-size slide

  34. QNX SDP
    • QNX SDP
    • Examining known-good QNX6 partitions
    • Magic bytes
    • “chkqnx6fs”
    34

    View full-size slide

  35. Firmware reversing
    • Ok, valid partition headers. Carve them?
    • Geometry?
    • Block size / count?
    • Examining QNX6 partitions more closely...
    35

    View full-size slide

  36. QNX6 partition superblock
    “chkqnx6fs” output
    36

    View full-size slide

  37. Simulator Tools
    • D’oh! Not enough bytes...
    • Simulator provides:
    • “qcfm”
    • “qcfp”
    “qcfp” looks a bit more promising...
    37

    View full-size slide

  38. Ah!
    “pb179.img-ctrl.q6fs”
    38
    Our firmware
    block layout
    Representation
    of the original
    layout

    View full-size slide

  39. Ok, five
    partitions
    Meanwhile, back in our firmware header...
    ... we’ve got this.
    39

    View full-size slide

  40. TL;DR
    • QCFM “envelope”
    • Header represents several QCFP
    “partitions”
    • Block positions and counts
    • Null padding
    • “Poor man’s compression”
    • Signature cookie**
    40

    View full-size slide

  41. Putting it to use
    • qcfm_parse.py
    • 0: Dummy
    partition?
    • 1: Signature cookie
    • 2: IFS image
    • 3: System partition
    • 4: Dummy
    partition?
    41

    View full-size slide

  42. Getting our files out
    • System partition
    • Just mount it
    • IFS image
    • “dumpifs”
    • ifs_parse.py
    42

    View full-size slide

  43. PPS: “.all” the things
    • File permissions and POSIX ACLs lock
    down PPS
    43

    View full-size slide

  44. “.all” the things
    • Special “.all” PPS file aggregates contents of
    otherwise inaccessible sibling files
    44

    View full-size slide

  45. “.all” the things
    • The “.all” file leads to some interesting leaks...like
    nearby BSSIDs (could be used to locate a user)
    45

    View full-size slide

  46. “.all” the things
    • Or device identifying information, including
    device PIN
    46

    View full-size slide

  47. “.all” the things
    • Or the most recent Video Chat call
    47

    View full-size slide

  48. “.all” the things
    • So far, these may seem like silly examples,
    but are artifacts of a peculiar design
    decision...
    48

    View full-size slide

  49. Native Code
    • Native applications
    request permissions, too
    • Our first PoC native app
    requested *zero*
    permissions, read device
    PIN, sent it to a remote
    listener
    • (This should have
    required
    "access_internet" and
    "read_device_identifying
    _information")
    49

    View full-size slide

  50. Native Code
    • Currently nothing stops
    native code from doing
    even nastier things (sans
    permissions)
    • We promised you a
    shell, Nico -- hopefully
    this will do for now :)
    50

    View full-size slide

  51. BlackBerry Bridge
    • Bridge allows you to
    “connect your
    BlackBerry® PlayBook™
    tablet to your
    smartphone to access
    email, calendars... other
    data directly from your
    tablet.”
    • Read: where the Good
    Stuff’s at.
    51

    View full-size slide

  52. BlackBerry Bridge
    • Bridge PlayBook apps
    are special/glorified
    WebKit views
    • Apps connect to
    “SapphireProxy” on
    localhost
    • SapphireProxy connects
    to BB handset (via
    Bluetooth), interfaces
    with Bridge app on
    handset
    52

    View full-size slide

  53. BlackBerry Bridge
    • Bridge apps authenticate
    to SapphireProxy,
    receive token
    • If BB handset has
    password set, user
    must enter this
    • Once auth token is set,
    apps send as both
    cookie and HTTP
    header
    53

    View full-size slide

  54. “Bridging” The Gap
    • Once user has paired
    and “unlocked”
    Bridge, session token
    is available to anyone
    • Malicious app can
    steal via special PPS
    file, re-use
    /pps/system/sapphire/.all
    54

    View full-size slide

  55. “Bridging” The Gap
    55
    CVSS: 3.6 (per RIM)

    View full-size slide

  56. “Bridging” The Gap
    • Sapphire Proxy (on http://127.0.0.1:187)
    also serves as an open HTTP proxy
    • Proxied traffic goes over Bluetooth link,
    and out of BlackBerry handset’s interface
    (WiFi or cell radio)
    • Possible access to corporate net or BES
    56

    View full-size slide

  57. App World
    • Purchase / download
    functionality (duh)
    • PlayBook and BBOS
    share a common
    interface
    • Asynchronous app
    purchase and
    download
    components
    57

    View full-size slide

  58. Hrmm...
    Consider the following requests:
    58

    View full-size slide

  59. Oh...
    • Sequential file names
    • No session management
    • A local cache of App World can be yours
    (be sure to bring along external storage)!*
    * assuming there’s anything that you want
    59

    View full-size slide

  60. Save yourself $2 -- #6294155
    60

    View full-size slide

  61. App World
    • Evidently hosts all versions of all BBOS and
    PlayBook applications
    • Applications can be side-loaded
    • No centralized license management
    • Not unique to PlayBook, but significant
    • RIM response
    61

    View full-size slide

  62. Web services
    • bozohttpd
    • “certmgr”
    • inetd
    • dtm-up.sh
    • WiFi vs USB
    62

    View full-size slide

  63. Web services
    • login.cgi
    • “dtmauth”
    • Token stored in a PPS object...
    63

    View full-size slide

  64. Web services
    • Legitimate but
    somewhat impractical
    • pf restrictions
    • Hurry up and wait
    Impractical, but not ineffective.
    64

    View full-size slide

  65. Web services
    • Help from Sapphire!
    • Snag dtmauth, proxy through BlackBerry
    handset (via Sapphire)
    65

    View full-size slide

  66. Web services
    66

    View full-size slide

  67. Additional Considerations
    67

    View full-size slide

  68. Samba
    • Desktop Manager
    • General file
    sharing
    • WiFi vs USB
    • x.509 certificates
    • Media
    PROTIP: leave file sharing disabled
    68

    View full-size slide

  69. Bridge: More to consider
    SapphireProxy startup arguments
    privesc will give you corporate intranet access
    69

    View full-size slide

  70. Bridge: More to consider
    • Bridge “Files” accesses
    BB handset storage...via
    WebDAV
    • Internal storage, SD
    card, camera images, etc.
    • Currently world
    readable/writable
    70

    View full-size slide

  71. Bridge: More to consider
    • Permissions and leaks may be resolved, but
    these issues will resurface
    71

    View full-size slide

  72. Things to keep an eye on
    • System scripts
    • Python / shell
    • “cleanup” stuff
    • File permissions
    • Logs
    • Support apps (Desktop Manager, Device
    Manager)
    72

    View full-size slide

  73. Questions?
    [email protected]
    https://twitter.com/quine
    [email protected]
    https://twitter.com/bnull
    • http://github.com/intrepidusgroup/pbtools
    Greetz:
    NickDe, HockeyInJune
    #busticati, #painsec
    73

    View full-size slide