Voight-Kampff'ing The BlackBerry PlayBook (v1)

Transcript

1. Voight-Kampff'ing The BlackBerry PlayBook Zach Lanier and Ben Nell 1

2. Introduction Zach Lanier Principal Consultant Ben Nell Consultant 2

3. Why this matters • New, different platform • PlayBook targets

   enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data

4. Agenda • Platform Overview • Application Overview • Methodology •

   Research Findings • Additional Considerations 4

5. “He say you Blade Runner...” • Deckard hunts Replicants (he’s

   an *android killer*) • PlayBook codename = “Deckard” • Voight-Kampff machine for interrogation • Hence the theme 5

6. Platform Overview 6

7. Platform Overview • TI OMAP4430 (dual-core ARM Cortex A9) •

   TabletOS (based on QNX Neutrino RTOS v6.6) • Major components: • WebKit (534.11 / Safari 7.1.0.7) • Adobe Flash (11.1) • Adobe AIR (3.1) • BlackBerry Bridge (connects to BB handheld for sync’ing email, contacts, calendar, etc.) • Use case: corporate user with existing BB handset 7

8. QNX • Microkernel, only truly trusted component • Separation of

   network, I/O, HMI, etc. into separate components • Trusted boot process • ASLR 8

9. Dingleberry • PlayBook jailbreak / root privesc released in Dec.

   2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root 9

10. Security Controls • OpenBSD pf • POSIX (filesystem) ACLs •

    Compiler & linker protections for native apps • ProPolice, PIE, full RELRO • ASLR 10

11. PPS • “Persistent Publish / Subscribe” • Simple interface for

    sharing data, notifications via filesystem objects • Example: monitoring network interface state 11

12. authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12

13. authman & permissions • /etc/authman: configs • Pair of files

    (".res" & ".acl"), named for profile type • carrier.acl? • /dev/authman: resource manager “dispatch” path 13

14. authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested 14

15. authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2 15

16. Application Overview 16

17. PlayBook applications • BlackBerry + JAR = ??? • Normal

    JAR structures • Entry point • AIR and ELF / Dalvik and Python 17

18. PlayBook applications • Native applications • Entry points interpreted as

    shell commands • ENV variables, shell scripts, etc • AIR applications • Interface compiled libraries (i.e. UI stuff) • Can be packaged with ELF libraries 18

19. App Permissions Documented (8) Observed (48) 19

20. Side Note: Adobe Reader • permiter_corp? • run_air_native? 20

21. Methodology 21

22. Development mode • SDK tools / side-load applications • Unprivileged

    shell access • Automatic session expiration 22

23. Development mode • “appInstaller.cgi” • Install / launch apps •

    Enumerate apps • Terminate apps 23

24. Development mode • “qconnDoor” • Limited SSH access • Private

    key authentication 24

25. Exploring TabletOS • QNX Software Dev Platform (SDP) • PlayBook

    Simulator • Wealth of QNX documentation • Firmware images • SDK / NDK • Source code? 25

26. Research Findings 26

27. System updates • Signed packages (SHA1, SHA256, SHA512) • Three

    stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27

28. Poll available bundles Bundle request 28

29. System updates: So what? • Control the version of software

    running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29

30. System updates: MITM • x.509 checks were not originally enforced

    • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30

31. System updates: MITM 31 (obviously)

32. System updates: OOB bundle download • Available bundle versions •

    “X-Encryption-Id” • package_get.py • Brute-forcing unreleased versions? 32

33. Firmware reversing • BAR package qcfm-os-factory-<VER>.bwrap.signed • Interesting-looking binary glob

    • Raw partitions? • File carving? • MFCQ/QCFP headers? 33

34. QNX SDP • QNX SDP • Examining known-good QNX6 partitions

    • Magic bytes • “chkqnx6fs” 34

35. Firmware reversing • Ok, valid partition headers. Carve them? •

    Geometry? • Block size / count? • Examining QNX6 partitions more closely... 35

36. QNX6 partition superblock “chkqnx6fs” output 36

37. Simulator Tools • D’oh! Not enough bytes... • Simulator provides:

    • “qcfm” • “qcfp” “qcfp” looks a bit more promising... 37

38. Ah! “pb179.img-ctrl.q6fs” 38 Our firmware block layout Representation of the

    original layout

39. Ok, five partitions Meanwhile, back in our firmware header... ...

    we’ve got this. 39

40. TL;DR • QCFM “envelope” • Header represents several QCFP “partitions”

    • Block positions and counts • Null padding • “Poor man’s compression” • Signature cookie** 40

41. Putting it to use • qcfm_parse.py • 0: Dummy partition?

    • 1: Signature cookie • 2: IFS image • 3: System partition • 4: Dummy partition? 41

42. Getting our files out • System partition • Just mount

    it • IFS image • “dumpifs” • ifs_parse.py 42

43. PPS: “.all” the things • File permissions and POSIX ACLs

    lock down PPS 43

44. “.all” the things • Special “.all” PPS file aggregates contents

    of otherwise inaccessible sibling files 44

45. “.all” the things • The “.all” file leads to some

    interesting leaks...like nearby BSSIDs (could be used to locate a user) 45

46. “.all” the things • Or device identifying information, including device

    PIN 46

47. “.all” the things • Or the most recent Video Chat

    call 47

48. “.all” the things • So far, these may seem like

    silly examples, but are artifacts of a peculiar design decision... 48

49. Native Code • Native applications request permissions, too • Our

    first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49

50. Native Code • Currently nothing stops native code from doing

    even nastier things (sans permissions) • We promised you a shell, Nico -- hopefully this will do for now :) 50

51. BlackBerry Bridge • Bridge allows you to “connect your BlackBerry®

    PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51

52. BlackBerry Bridge • Bridge PlayBook apps are special/glorified WebKit views

    • Apps connect to “SapphireProxy” on localhost • SapphireProxy connects to BB handset (via Bluetooth), interfaces with Bridge app on handset 52

53. BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token

    • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53

54. “Bridging” The Gap • Once user has paired and “unlocked”

    Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54

55. “Bridging” The Gap 55 CVSS: 3.6 (per RIM)

56. “Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves

    as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 56

57. App World • Purchase / download functionality (duh) • PlayBook

    and BBOS share a common interface • Asynchronous app purchase and download components 57

58. Hrmm... Consider the following requests: 58

59. Oh... • Sequential file names • No session management •

    A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 59

60. Save yourself $2 -- #6294155 60

61. App World • Evidently hosts all versions of all BBOS

    and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 61

62. Web services • bozohttpd • “certmgr” • inetd • dtm-up.sh

    • WiFi vs USB 62

63. Web services • login.cgi • “dtmauth” • Token stored in

    a PPS object... 63

64. Web services • Legitimate but somewhat impractical • pf restrictions

    • Hurry up and wait Impractical, but not ineffective. 64

65. Web services • Help from Sapphire! • Snag dtmauth, proxy

    through BlackBerry handset (via Sapphire) 65

66. Web services 66

67. Additional Considerations 67

68. Samba • Desktop Manager • General file sharing • WiFi

    vs USB • x.509 certificates • Media PROTIP: leave file sharing disabled 68

69. Bridge: More to consider SapphireProxy startup arguments privesc will give

    you corporate intranet access 69

70. Bridge: More to consider • Bridge “Files” accesses BB handset

    storage...via WebDAV • Internal storage, SD card, camera images, etc. • Currently world readable/writable 70

71. Bridge: More to consider • Permissions and leaks may be

    resolved, but these issues will resurface 71

72. Things to keep an eye on • System scripts •

    Python / shell • “cleanup” stuff • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 72

73. Questions? • [email protected] https://twitter.com/quine • [email protected] https://twitter.com/bnull • http://github.com/intrepidusgroup/pbtools Greetz:

    NickDe, HockeyInJune #busticati, #painsec 73