Voight-Kampff'ing The BlackBerry PlayBook (v1)

C65347082fd2c5ec7c783f214e2d49e0?s=47 Zach Lanier
January 12, 2012

Voight-Kampff'ing The BlackBerry PlayBook (v1)

"Voight-Kampff'ing The BlackBerry PlayBook", presented by Zach Lanier and Ben Nell at INFILTRATE 2012 (http://www.infiltratecon.com/speakers.html#lanier)

C65347082fd2c5ec7c783f214e2d49e0?s=128

Zach Lanier

January 12, 2012
Tweet

Transcript

  1. Voight-Kampff'ing The BlackBerry PlayBook Zach Lanier and Ben Nell 1

  2. Introduction Zach Lanier Principal Consultant Ben Nell Consultant 2

  3. Why this matters • New, different platform • PlayBook targets

    enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data
  4. Agenda • Platform Overview • Application Overview • Methodology •

    Research Findings • Additional Considerations 4
  5. “He say you Blade Runner...” • Deckard hunts Replicants (he’s

    an *android killer*) • PlayBook codename = “Deckard” • Voight-Kampff machine for interrogation • Hence the theme 5
  6. Platform Overview 6

  7. Platform Overview • TI OMAP4430 (dual-core ARM Cortex A9) •

    TabletOS (based on QNX Neutrino RTOS v6.6) • Major components: • WebKit (534.11 / Safari 7.1.0.7) • Adobe Flash (11.1) • Adobe AIR (3.1) • BlackBerry Bridge (connects to BB handheld for sync’ing email, contacts, calendar, etc.) • Use case: corporate user with existing BB handset 7
  8. QNX • Microkernel, only truly trusted component • Separation of

    network, I/O, HMI, etc. into separate components • Trusted boot process • ASLR 8
  9. Dingleberry • PlayBook jailbreak / root privesc released in Dec.

    2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root 9
  10. Security Controls • OpenBSD pf • POSIX (filesystem) ACLs •

    Compiler & linker protections for native apps • ProPolice, PIE, full RELRO • ASLR 10
  11. PPS • “Persistent Publish / Subscribe” • Simple interface for

    sharing data, notifications via filesystem objects • Example: monitoring network interface state 11
  12. authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12
  13. authman & permissions • /etc/authman: configs • Pair of files

    (".res" & ".acl"), named for profile type • carrier.acl? • /dev/authman: resource manager “dispatch” path 13
  14. authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested 14
  15. authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2 15
  16. Application Overview 16

  17. PlayBook applications • BlackBerry + JAR = ??? • Normal

    JAR structures • Entry point • AIR and ELF / Dalvik and Python 17
  18. PlayBook applications • Native applications • Entry points interpreted as

    shell commands • ENV variables, shell scripts, etc • AIR applications • Interface compiled libraries (i.e. UI stuff) • Can be packaged with ELF libraries 18
  19. App Permissions Documented (8) Observed (48) 19

  20. Side Note: Adobe Reader • permiter_corp? • run_air_native? 20

  21. Methodology 21

  22. Development mode • SDK tools / side-load applications • Unprivileged

    shell access • Automatic session expiration 22
  23. Development mode • “appInstaller.cgi” • Install / launch apps •

    Enumerate apps • Terminate apps 23
  24. Development mode • “qconnDoor” • Limited SSH access • Private

    key authentication 24
  25. Exploring TabletOS • QNX Software Dev Platform (SDP) • PlayBook

    Simulator • Wealth of QNX documentation • Firmware images • SDK / NDK • Source code? 25
  26. Research Findings 26

  27. System updates • Signed packages (SHA1, SHA256, SHA512) • Three

    stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27
  28. Poll available bundles Bundle request 28

  29. System updates: So what? • Control the version of software

    running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29
  30. System updates: MITM • x.509 checks were not originally enforced

    • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30
  31. System updates: MITM 31 (obviously)

  32. System updates: OOB bundle download • Available bundle versions •

    “X-Encryption-Id” • package_get.py • Brute-forcing unreleased versions? 32
  33. Firmware reversing • BAR package qcfm-os-factory-<VER>.bwrap.signed • Interesting-looking binary glob

    • Raw partitions? • File carving? • MFCQ/QCFP headers? 33
  34. QNX SDP • QNX SDP • Examining known-good QNX6 partitions

    • Magic bytes • “chkqnx6fs” 34
  35. Firmware reversing • Ok, valid partition headers. Carve them? •

    Geometry? • Block size / count? • Examining QNX6 partitions more closely... 35
  36. QNX6 partition superblock “chkqnx6fs” output 36

  37. Simulator Tools • D’oh! Not enough bytes... • Simulator provides:

    • “qcfm” • “qcfp” “qcfp” looks a bit more promising... 37
  38. Ah! “pb179.img-ctrl.q6fs” 38 Our firmware block layout Representation of the

    original layout
  39. Ok, five partitions Meanwhile, back in our firmware header... ...

    we’ve got this. 39
  40. TL;DR • QCFM “envelope” • Header represents several QCFP “partitions”

    • Block positions and counts • Null padding • “Poor man’s compression” • Signature cookie** 40
  41. Putting it to use • qcfm_parse.py • 0: Dummy partition?

    • 1: Signature cookie • 2: IFS image • 3: System partition • 4: Dummy partition? 41
  42. Getting our files out • System partition • Just mount

    it • IFS image • “dumpifs” • ifs_parse.py 42
  43. PPS: “.all” the things • File permissions and POSIX ACLs

    lock down PPS 43
  44. “.all” the things • Special “.all” PPS file aggregates contents

    of otherwise inaccessible sibling files 44
  45. “.all” the things • The “.all” file leads to some

    interesting leaks...like nearby BSSIDs (could be used to locate a user) 45
  46. “.all” the things • Or device identifying information, including device

    PIN 46
  47. “.all” the things • Or the most recent Video Chat

    call 47
  48. “.all” the things • So far, these may seem like

    silly examples, but are artifacts of a peculiar design decision... 48
  49. Native Code • Native applications request permissions, too • Our

    first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49
  50. Native Code • Currently nothing stops native code from doing

    even nastier things (sans permissions) • We promised you a shell, Nico -- hopefully this will do for now :) 50
  51. BlackBerry Bridge • Bridge allows you to “connect your BlackBerry®

    PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51
  52. BlackBerry Bridge • Bridge PlayBook apps are special/glorified WebKit views

    • Apps connect to “SapphireProxy” on localhost • SapphireProxy connects to BB handset (via Bluetooth), interfaces with Bridge app on handset 52
  53. BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token

    • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53
  54. “Bridging” The Gap • Once user has paired and “unlocked”

    Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54
  55. “Bridging” The Gap 55 CVSS: 3.6 (per RIM)

  56. “Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves

    as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 56
  57. App World • Purchase / download functionality (duh) • PlayBook

    and BBOS share a common interface • Asynchronous app purchase and download components 57
  58. Hrmm... Consider the following requests: 58

  59. Oh... • Sequential file names • No session management •

    A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 59
  60. Save yourself $2 -- #6294155 60

  61. App World • Evidently hosts all versions of all BBOS

    and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 61
  62. Web services • bozohttpd • “certmgr” • inetd • dtm-up.sh

    • WiFi vs USB 62
  63. Web services • login.cgi • “dtmauth” • Token stored in

    a PPS object... 63
  64. Web services • Legitimate but somewhat impractical • pf restrictions

    • Hurry up and wait Impractical, but not ineffective. 64
  65. Web services • Help from Sapphire! • Snag dtmauth, proxy

    through BlackBerry handset (via Sapphire) 65
  66. Web services 66

  67. Additional Considerations 67

  68. Samba • Desktop Manager • General file sharing • WiFi

    vs USB • x.509 certificates • Media PROTIP: leave file sharing disabled 68
  69. Bridge: More to consider SapphireProxy startup arguments privesc will give

    you corporate intranet access 69
  70. Bridge: More to consider • Bridge “Files” accesses BB handset

    storage...via WebDAV • Internal storage, SD card, camera images, etc. • Currently world readable/writable 70
  71. Bridge: More to consider • Permissions and leaks may be

    resolved, but these issues will resurface 71
  72. Things to keep an eye on • System scripts •

    Python / shell • “cleanup” stuff • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 72
  73. Questions? • zach.lanier@intrepidusgroup.com https://twitter.com/quine • ben.nell@intrepidusgroup.com https://twitter.com/bnull • http://github.com/intrepidusgroup/pbtools Greetz:

    NickDe, HockeyInJune #busticati, #painsec 73