Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Voight-Kampff'ing The BlackBerry PlayBook (v2)

Voight-Kampff'ing The BlackBerry PlayBook (v2)

Voight-Kampff'ing The BlackBerry PlayBook (Final) at SOURCE Boston 2012

Zach Lanier

April 18, 2012
Tweet

More Decks by Zach Lanier

Other Decks in Research

Transcript

  1. Why this matters • New, different platform • PlayBook targets

    enterprises • Designed to separate “personal” apps/data from “corporate” apps/data 3 ...and we can steal that corporate data
  2. Agenda • Platform Overview • Application Overview • Methodology •

    Research Findings • Additional Considerations 4
  3. “He say you Blade Runner...” • Deckard hunts Replicants (he’s

    an *android killer*) • PlayBook codename = “Deckard” • Voight-Kampff machine for interrogation • Hence the theme 5
  4. Platform Overview • TI OMAP4430 (dual-core ARM Cortex A9) •

    TabletOS (based on QNX Neutrino RTOS v6.6) • Major components: • WebKit (534.11 / Safari 7.1.0.7) • Adobe Flash (11.1) • Adobe AIR (3.1) • BlackBerry Bridge (connects to BB handheld for sync’ing email, contacts, calendar, etc.) • Use case: corporate user with existing BB handset 7
  5. QNX • Microkernel, only truly trusted component • Separation of

    network, I/O, HMI, etc. into separate components • Trusted boot process • ASLR 8
  6. Dingleberry • PlayBook jailbreak / root privesc released in Dec.

    2011 • Discovered by @xpvqs and @neuralic, packaged by @cmwdotme • Issue (tl;dr): backups aren’t signed; jailbreak process creates custom backup, restores overwriting smb.conf; Samba then executes scripts as root • Now irrelevant 9
  7. Security Controls • OpenBSD pf • POSIX (filesystem) ACLs •

    Compiler & linker protections for native apps • ProPolice, PIE, full RELRO • ASLR 10
  8. PPS • “Persistent Publish / Subscribe” • Simple interface for

    sharing data, notifications via filesystem objects • Example: monitoring network interface state 11
  9. authman & permissions • authman service - maps app permissions

    to system resources • Filesystem permissions + POSIX ACLs, PF rules • Shell script and Python glue to bind it all together 12
  10. authman & permissions • /etc/authman: configs • Pair of files

    (".res" & ".acl"), named for profile type • carrier.acl? • /dev/authman: resource manager “dispatch” path 13
  11. authman & permissions • Controls access to app permissions (allow,

    prompt, deny) • Sets FACLs on filesystem objects based on app permission requested 14
  12. authman & pf • authman handles setting up (app) GID:rule

    mapping • Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2 15
  13. PlayBook applications • BlackBerry + JAR = ??? • Normal

    JAR structures • Entry point • AIR and ELF / Dalvik and Python 17
  14. PlayBook applications • Native applications • Entry points interpreted as

    shell commands • ENV variables, shell scripts, etc • AIR applications • Interface compiled libraries (i.e. UI stuff) • Can be packaged with ELF libraries 18
  15. Development mode • SDK tools / side-load applications • Unprivileged

    shell access • Automatic session expiration 22
  16. Exploring TabletOS • QNX Software Dev Platform (SDP) • PlayBook

    Simulator • Wealth of QNX documentation • Firmware images • SDK / NDK • Source code? 25
  17. System updates • Signed packages (SHA1, SHA256, SHA512) • Three

    stage process: • Poll available update bundles (HTTPS) • Request download info for a specific bundle (HTTPS) • Download and install individual packages (HTTP) 27
  18. System updates: So what? • Control the version of software

    running on a device • Extract TabletOS file system • Reverse engineer system stuff • Diff changes between versions 29
  19. System updates: MITM • x.509 checks were not originally enforced

    • 1.0.1 • 1.0.3 • Downgrades probably not possible • Control version of out-of-the-box devices • Cannot be fixed in a software update 30
  20. System updates: OOB bundle download • Available bundle versions •

    “X-Encryption-Id” • package_get.py • Brute-forcing unreleased versions? 32
  21. QNX SDP • QNX SDP • Examining known-good QNX6 partitions

    • Magic bytes • “chkqnx6fs” 34
  22. Firmware reversing • Ok, valid partition headers. Carve them? •

    Geometry? • Block size / count? • Examining QNX6 partitions more closely... 35
  23. Simulator Tools • D’oh! Not enough bytes... • Simulator provides:

    • “qcfm” • “qcfp” “qcfp” looks a bit more promising... 37
  24. TL;DR • QCFM “envelope” • Header represents several QCFP “partitions”

    • Block positions and counts • Null padding • “Poor man’s compression” • Signature cookie** 40
  25. Putting it to use • qcfm_parse.py • 0: Dummy partition?

    • 1: Signature cookie • 2: IFS image • 3: System partition • 4: Dummy partition? 41
  26. Getting our files out • System partition • Just mount

    it • IFS image • “dumpifs” • ifs_parse.py 42
  27. “.all” the things • The “.all” file leads to some

    interesting leaks...like nearby BSSIDs (could be used to locate a user) 45
  28. “.all” the things • So far, these may seem like

    silly examples, but are artifacts of a peculiar design decision... 48
  29. Native Code • Native applications request permissions, too • Our

    first PoC native app requested *zero* permissions, read device PIN, sent it to a remote listener • (This should have required "access_internet" and "read_device_identifying _information") 49
  30. Native Code • Currently nothing stops native code from doing

    even nastier things (sans filesystem or device permissions) 50
  31. BlackBerry Bridge • Bridge allows you to “connect your BlackBerry®

    PlayBook™ tablet to your smartphone to access email, calendars... other data directly from your tablet.” • Read: where the Good Stuff’s at. 51
  32. BlackBerry Bridge • Bridge PlayBook apps are special/glorified WebKit views

    • Apps connect to “SapphireProxy” on localhost • SapphireProxy connects to BB handset (via Bluetooth), interfaces with Bridge app on handset 52
  33. BlackBerry Bridge • Bridge apps authenticate to SapphireProxy, receive token

    • If BB handset has password set, user must enter this • Once auth token is set, apps send as both cookie and HTTP header 53
  34. “Bridging” The Gap • Once user has paired and “unlocked”

    Bridge, session token is available to anyone • Malicious app can steal via special PPS file, re-use /pps/system/sapphire/.all 54
  35. “Bridging” The Gap • Sapphire Proxy (on http://127.0.0.1:187) also serves

    as an open HTTP proxy • Proxied traffic goes over Bluetooth link, and out of BlackBerry handset’s interface (WiFi or cell radio) • Possible access to corporate net or BES 57
  36. App World • Purchase / download functionality (duh) • PlayBook

    and BBOS share a common interface • Asynchronous app purchase and download components 58
  37. Oh... • Sequential file names • No session management •

    A local cache of App World can be yours (be sure to bring along external storage)!* * assuming there’s anything that you want 60
  38. App World • Evidently hosts all versions of all BBOS

    and PlayBook applications • Applications can be side-loaded • No centralized license management • Not unique to PlayBook, but significant • RIM response 62
  39. Web services • Legitimate but somewhat impractical • pf restrictions

    • Hurry up and wait Impractical, but not ineffective. 65
  40. Web services • Help from Sapphire! • Snag dtmauth, proxy

    through BlackBerry handset (via Sapphire) 66
  41. Samba • Desktop Manager • General file sharing • WiFi

    vs USB • x.509 certificates • Media PROTIP: leave file sharing disabled 69
  42. Bridge: More to consider • Bridge “Files” accesses BB handset

    storage...via WebDAV • Internal storage, SD card, camera images, etc. • FS perms controlled through group membership (1000_shared, which maps to access_shared app perm) 71
  43. Bridge: More to consider • Permissions and leaks may be

    resolved, but these issues will resurface 72
  44. Things to keep an eye on • System scripts •

    Python / shell • “cleanup” stuff • Android support (a lot of potentially kludgy glue) • File permissions • Logs • Support apps (Desktop Manager, Device Manager) 73
  45. Questions? • [email protected] https://twitter.com/quine • [email protected] https://twitter.com/bnull • http://github.com/intrepidusgroup/pbtools •

    FILL OUT THE SURVEY - http://surveymonkey.com/sourceboston12 Greetz: NickDe, HockeyInJune, jono, bliss, ddz, dguido, cstone #busticati, #painsec 74