Voight-Kampff'ing The BlackBerry PlayBook (v1)

C65347082fd2c5ec7c783f214e2d49e0?s=47 Zach Lanier
January 12, 2012

Voight-Kampff'ing The BlackBerry PlayBook (v1)

"Voight-Kampff'ing The BlackBerry PlayBook", presented by Zach Lanier and Ben Nell at INFILTRATE 2012 (http://www.infiltratecon.com/speakers.html#lanier)

C65347082fd2c5ec7c783f214e2d49e0?s=128

Zach Lanier

January 12, 2012
Tweet

Transcript

  1. 3.

    Why this matters • New, different platform • PlayBook targets

    enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data
  2. 4.

    Agenda • Platform Overview • Application Overview • Methodology •

    Research Findings • Additional Considerations 4
  3. 5.

    “He say you Blade Runner...” • Deckard hunts Replicants (he’s

    an *android killer*) • PlayBook codename = “Deckard” • Voight-Kampff machine for interrogation • Hence the theme 5
  4. 7.

    Platform Overview • TI OMAP4430 (dual-core ARM Cortex A9) •

    TabletOS (based on QNX Neutrino RTOS v6.6) • Major components: • WebKit (534.11 / Safari 7.1.0.7) • Adobe Flash (11.1) • Adobe AIR (3.1) • BlackBerry Bridge (connects to BB handheld for sync’ing email, contacts, calendar, etc.) • Use case: corporate user with existing BB handset 7
  5. 8.

    QNX • Microkernel, only truly trusted component • Separation of

    network, I/O, HMI, etc. into separate components • Trusted boot process • ASLR 8
  6. 9.

    Dingleberry • PlayBook jailbreak / root privesc released in Dec.

    2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root 9
  7. 10.

    Security Controls • OpenBSD pf • POSIX (filesystem) ACLs •

    Compiler & linker protections for native apps • ProPolice, PIE, full RELRO • ASLR 10
  8. 11.

    PPS • “Persistent Publish / Subscribe” • Simple interface for

    sharing data, notifications via filesystem objects • Example: monitoring network interface state 11
  9. 12.

    authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12
  10. 13.

    authman & permissions • /etc/authman: configs • Pair of files

    (".res" & ".acl"), named for profile type • carrier.acl? • /dev/authman: resource manager “dispatch” path 13
  11. 14.

    authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested 14
  12. 15.

    authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2 15
  13. 17.

    PlayBook applications • BlackBerry + JAR = ??? • Normal

    JAR structures • Entry point • AIR and ELF / Dalvik and Python 17
  14. 18.

    PlayBook applications • Native applications • Entry points interpreted as

    shell commands • ENV variables, shell scripts, etc • AIR applications • Interface compiled libraries (i.e. UI stuff) • Can be packaged with ELF libraries 18
  15. 22.

    Development mode • SDK tools / side-load applications • Unprivileged

    shell access • Automatic session expiration 22
  16. 25.

    Exploring TabletOS • QNX Software Dev Platform (SDP) • PlayBook

    Simulator • Wealth of QNX documentation • Firmware images • SDK / NDK • Source code? 25
  17. 27.

    System updates • Signed packages (SHA1, SHA256, SHA512) • Three

    stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27
  18. 29.

    System updates: So what? • Control the version of software

    running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29
  19. 30.

    System updates: MITM • x.509 checks were not originally enforced

    • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30
  20. 32.

    System updates: OOB bundle download • Available bundle versions •

    “X-Encryption-Id” • package_get.py • Brute-forcing unreleased versions? 32
  21. 33.
  22. 34.

    QNX SDP • QNX SDP • Examining known-good QNX6 partitions

    • Magic bytes • “chkqnx6fs” 34
  23. 35.

    Firmware reversing • Ok, valid partition headers. Carve them? •

    Geometry? • Block size / count? • Examining QNX6 partitions more closely... 35
  24. 37.

    Simulator Tools • D’oh! Not enough bytes... • Simulator provides:

    • “qcfm” • “qcfp” “qcfp” looks a bit more promising... 37
  25. 40.

    TL;DR • QCFM “envelope” • Header represents several QCFP “partitions”

    • Block positions and counts • Null padding • “Poor man’s compression” • Signature cookie** 40
  26. 41.

    Putting it to use • qcfm_parse.py • 0: Dummy partition?

    • 1: Signature cookie • 2: IFS image • 3: System partition • 4: Dummy partition? 41
  27. 42.

    Getting our files out • System partition • Just mount

    it • IFS image • “dumpifs” • ifs_parse.py 42
  28. 44.
  29. 45.

    “.all” the things • The “.all” file leads to some

    interesting leaks...like nearby BSSIDs (could be used to locate a user) 45
  30. 48.

    “.all” the things • So far, these may seem like

    silly examples, but are artifacts of a peculiar design decision... 48
  31. 49.

    Native Code • Native applications request permissions, too • Our

    first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49
  32. 50.

    Native Code • Currently nothing stops native code from doing

    even nastier things (sans permissions) • We promised you a shell, Nico -- hopefully this will do for now :) 50
  33. 51.

    BlackBerry Bridge • Bridge allows you to “connect your BlackBerry®

    PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51
  34. 52.

    BlackBerry Bridge • Bridge PlayBook apps are special/glorified WebKit views

    • Apps connect to “SapphireProxy” on localhost • SapphireProxy connects to BB handset (via Bluetooth), interfaces with Bridge app on handset 52
  35. 53.

    BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token

    • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53
  36. 54.

    “Bridging” The Gap • Once user has paired and “unlocked”

    Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54
  37. 56.

    “Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves

    as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 56
  38. 57.

    App World • Purchase / download functionality (duh) • PlayBook

    and BBOS share a common interface • Asynchronous app purchase and download components 57
  39. 59.

    Oh... • Sequential file names • No session management •

    A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 59
  40. 61.

    App World • Evidently hosts all versions of all BBOS

    and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 61
  41. 64.

    Web services • Legitimate but somewhat impractical • pf restrictions

    • Hurry up and wait Impractical, but not ineffective. 64
  42. 65.

    Web services • Help from Sapphire! • Snag dtmauth, proxy

    through BlackBerry handset (via Sapphire) 65
  43. 68.

    Samba • Desktop Manager • General file sharing • WiFi

    vs USB • x.509 certificates • Media PROTIP: leave file sharing disabled 68
  44. 70.

    Bridge: More to consider • Bridge “Files” accesses BB handset

    storage...via WebDAV • Internal storage, SD card, camera images, etc. • Currently world readable/writable 70
  45. 71.

    Bridge: More to consider • Permissions and leaks may be

    resolved, but these issues will resurface 71
  46. 72.

    Things to keep an eye on • System scripts •

    Python / shell • “cleanup” stuff • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 72