no apology required: deconstructing bb10
DESCRIPTION
TRANSCRIPT
No Apology RequiredDeconstructing BB10
CanSecWest 2014
Introduction
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory • Research is on-going • Focused mostly on
methodology, less on findings
• Feel free to chat after (since we may run out of time)
• Title is because stereotypical Canadians apologize for everything
Introduction
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory • Research is on-going • Focused mostly on
methodology, less on findings
• Feel free to chat after (since we may run out of time)
• Title is because stereotypical Canadians apologize for everything
Introduction
Ben NellbNull
Sr. Security ConsultantAccuvant Labs
Zach Lanierquine
Sr. Security ResearcherDuo Security
Presentation foul:<--- mixing memes --->
Why this matters
Why this matters
Why this matters
You’re an appsec consultant and your customer asks you if BlackBerry Balance
solves BYOD
Agenda• Previous Research
• Platform Overview
• Methodology
• Attack Surface
• Future Work
Previous Research
Our PlayBook stuff• Targeted predecessor of BB10
— TabletOS on BB PlayBook
• Discovered AuthZ token disclosure for Bridge/Balance (steal all the corporate data)
• RE’d firmware
• Mirrored all of AppWorld (steal all the premium apps)
• And more...
Our PlayBook stuff (cont’d)• Discovered that native apps
can exec*() / spawn*() and open AF_INET sockets unfettered (no perm’s req’d)
• Still true in BB10, but (even detached) child procs killed when app/parent ends
• “Headless Apps” allow for background services, but special perms required
• Granting of perms is contingent upon approval from RIM/BB signing service
Others• Julio Cesar Fort’s QNX
research
• SEC Consult BB10 paper
• RPW’s BB10 preso (BH USA ’13)
• Tim Brown’s various QNX/TabletOS/BB10 works
Platform Overview
Overview• ARM-based SoCs (Z10, Q10, and Z30
all Snapdragon S4 SoC) • BB10 (based on QNX Neutrino RTOS
8.0.0) • Major components (as of 10.2.1.1925):
• WebKit (537.10 / 10.2.1.66) • Adobe Flash (11.1.121.199) • Adobe AIR (3.1.0.230) • BlackBerry Balance (isolated,
corporate PIM)
QNX• Microkernel, only truly trusted
component • Userspace kernel and
process manager - procnto • Separation of network,
I/O, HMI, etc. into separate components
• Messaging layer provides IPC (QNX message passing + POSIX IPC abstraction)
• Prev. public bugs disclosed by Ilja van Sprundel, Tim Brown, Julio Cesar Fort, cenobite, and others
Security Controls / Mitigations
• OpenBSD NetBSD pf
• POSIX (filesystem) ACLs
• Compiler & linker protections for native apps
• Usual suspects: XN, ASLR, ProPolice, PIE + full RELRO
QDE/Momentics default build options
Security Features
• Blackberry Balance
• Encrypted, FACL’d “container”
• a.k.a. “perimeter”
• BES policy enforcements
• DISA STIGs guide these
authman & permissions
• authman service - maps app permissions to system resources
• Filesystem permissions + POSIX ACLs, PF rules
• Shell script and Python glue to bind it all together
authman & permissions• /dev/authman: resource manager “dispatch”
path (QNX IPC endpoint)
• /etc/authman: configs
• Pair of files (".res" & ".acl"), named for profile type
authman & permissions• Controls access to
app permissions (allow, prompt, deny)
• Sets FACLs on filesystem objects based on app permission requested
• Also sets process capabilities for certain permission types (e.g. “Headless apps”)
authman & pf
• authman handles setting up (app) GID:rule mapping
• Ex: limiting access to SapphireProxy (for BB Bridge) on 127.0.0.2
Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000 sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet post_notification gain_oma_fl_group access_oma_fl_write_personal acce ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native permanent access_perimeter_personal' Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow execute Dec 06 01:53:04 5 41 0 authman: Applying execute Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000 Dec 06 01:53:04 5 41 0 authman: Requested caps: Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited Dec 06 01:53:04 5 41 0 authman: req:Allow run_native Dec 06 01:53:04 5 41 0 authman: req:Allow permanent Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control Dec 06 01:53:04 5 41 0 authman: Applying access_location_services Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control
“Capabilities” based on permissions
ACLs based on permissions
pf rule(s)
output from sloginfo (tool to print system log)
PPS• “Persistent Publish / Subscribe”
• Implemented by pps manager process
• Simple interface for sharing data, notifications/eventing via filesystem objects
IPC• IPC is key in QNX
• “Message passing” & signals implemented in microkernel
• Other IPC (POSIX-compatible) mechanisms implemented by manager processes
Message passing
Shared memory Pipes FIFOs
Message copying Simple messages ChannelsEvents
(pulses, signals, unblocks)
Typed memory
Signals
Kernel
Kernel
Externalprocess/manager
Application Model• Native
• WebWorks / Cordova
• Adobe AIR
• Android
C/C++
Flash/AS/HTML/JS
HTML/JS
Java/DEX
20 app perms documented 340 unique app & sys perms observed
Application Model• App processes run with same UIDs, but separate
GIDs (incl. supplemental GIDs)
!
!
• Apps have separate data stores/”sandboxes”
• With Balance/corporate separation, additional data stores
• Production apps are signed by BB/RIM signing server
Our Approach to the Platform
meth·od·ol·o·gy / ˌmeTHəәˈdäləәjē/( )
Testing Limitations
Testing Limitations• General lack of enthusiasm for BB10 as a
target
• General lack of public information about the system
• Effective security controls
• We’re left looking at a black box
OSINT
Just ask the internet!
OSINT
Existing previous work• Our PlayBook work • SEC Consult paper • Works by RPW, Tim Brown,
Julio Cesar Fort, etc. • Not a ton of stuff out there
https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
OSINTQNX Foundry
• Man pages for QNXisms • Downloads • Forums • Wiki • Google dorks are
golden…
OSINT
Speaking of Google dorks…
OSINTSome random RIM employee’s file dump?
Upcoming product feature assessment
hardware code names
Upcoming project effort estimations/ release dates
OSINT
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level Five
Some random RIM employee’s file dump?
Internal bug trackerinternal URL
OSINTSome random RIM employee’s file dump?
Pre-release BB10 developer image for Winchester/PlayBook
Dynamic Analysis
Watch it work and try to understand “why”
Dynamic Analysis
RIM wants to get your hacking^Wdevelopment projects up and running as quickly as possible!
Lots of SDK stuff, including a native SDK, giving us:
• libc, libcurl, OpenSSL, V8, and tons more
• Easy cross-compilation
Dynamic AnalysisDevelopment Tools Sample code
Dynamic AnalysisMomentics target navigator
Proc/thread mem info FS nav, etc.
Controller app
Controls NFC, Camera, geoloc, etc. for Simulator
Dynamic Analysis
• Momentics provides QNX-specific versions/builds of the typical toolchain
• gdb
• also objdump, nm, readelf, gcc, etc.
Dynamic AnalysisBlackberry Simulator QNX Software Dev Platform (SDP)
• Gives us something similar to the real thing
• We can have root access*
• Access to tools relevant to the real thing
• MDS Simulator
• It’s like the non-official “platform” debug tool
• A fully accessible QNX environment
* - with a bit of work
Dynamic AnalysisJust another box on the network
• Testing harness
• Wireshark
• Proxy (Burp and friends)
• nmap
• Various fizzers
• Custom stuff
Dynamic Analysis
There are lots of network services
Twist:
BB10 network services
Dynamic Analysis• Unsurprisingly, logs => info
• slogger (app event logger) and slogger2 (system event logger)
• Readable on simulator with sloginfo and slog2info
• slog* devices not readable on device :(Dec 07 16:14:20.041 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 [ServiceManager] refreshing accounts list Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts for service "contacts" Dec 07 16:14:20.042 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Calling AccountServicePrivate::accounts Dec 07 16:14:20.044 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 MNH(93): handleAccountUpdated accountId 4 Dec 07 16:14:20.045 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Calling AccountServicePrivate::account for AccountKey = 4 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 GET 0x13 Dec 07 16:14:20.052 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 URL Buffer: http://127.0.0.1:8888/accounts/4 !Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 GET 0x1 Dec 07 16:14:20.066 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 URL Buffer: http://127.0.0.1:8888/accounts !Dec 07 16:14:20.072 sys.pim.messages.gYABgJ8jn83Ok_NEWYplPYozt5w.3567740 default 9000 Curl Easy perform Dec 07 16:14:20.080 sys.pim.contacts.gYABgGsAOuzqCT1fu5Zx4sqrJdY.28930195 default 9000 Curl Easy perform Dec 07 16:14:20.081 menu_service.2830447 menu_svc_logs 0 MS PIMCORE: command: GET method: /accounts URL:http://127.0.0.1:8888/accounts Dec 07 16:14:20.082 phone.3567743 phone 0 [ I][18][PlatformContact:lookupByPhoneNu| 107] ContactService returns 0 contacts for number '1212xxxxx40'.
Dynamic Analysis
Debugging is a breeze
Target
Host
Fuzzing…
Static Analysis
For the things that can’t be watched
Static AnalysisInstallation bundles
• BAR format (hurr durr) • De-facto standard for any
non-factory packages • META-INF directory
• Code signatures and app info
• “assets”
% zipinfo -l1 ./Gooby/arm/o.le-v7/Gooby-1_0_0_1.bar META-INF/MANIFEST.MF META-INF/AUTHOR.SF META-INF/AUTHOR.EC META-INF/RDK.SF META-INF/RDK.EC native/bar-descriptor.xml native/icon.png native/assets/main.qml native/qm/Gooby.qm native/Gooby.so native/GoobyService native/assets/.assets.index
Static Analysis
MANIFEST.MF: Package Meta Info
Static Analysis
MANIFEST.MF: Application Meta Info
Static Analysis
MANIFEST.MF: Entry Point Info
Static Analysis
MANIFEST.MF: Entry Point Info
Static AnalysisGetting Firmware
• MITM the CDN downloads • The “community” has built
some good tools
http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
Static AnalysisGetting Into the Firmware
• “pbtools” • Mount the firmware in Simulator or SDP • SCP the files back out
https://github.com/intrepidusgroup/pbtools
Static AnalysisShell Scripts
• /base/scripts/ • Easy to read • grep-fu for great
success!
from “startup.sh”
Static AnalysisPython: For everything
important on BB10 that isn’t written in bash
• Most of it is compiled Python (bytecode; *.pyc)
• unpyc3.py
https://code.google.com/p/unpyc3/
Static AnalysisActionScript
• Decompile with Sothink / whatever • Most ActionScript apps handle front-end stuff
qnx.AIRServices.ota.OtaUpdate
Static Analysis
Compiled binaries
• IDA cleanly disassembles • ARM / x86 • Without a public root,
disassembly might be your best/only bet for dorking with many network services
Entry Points
Where the device accepts data
IPC• Numerous IPC endpoints available
• QNX channels particularly caught our eye
• Wrote some horrible IPC scanners / fuzzers
• Problem: not always sure WTF is on the other end of a channel (or able to attach to channel but unable to send)
• Also DoS’d/froze device multiple times during mass channel scans
$ ./scanchan.py 643092 Could not find platform independent libraries <prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] [+] PID: 643092 - Connected to channel: 2 [-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted
$ ./fchan1.py 1019928 16 [+] PID: 1019928 - Connected to channel: 16 (48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')\n c\x01\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00O\x00\x00\x00s\x16\x00\x00\x00|\x01\x00|\x00\x00_\x00\x00|\x02\x00|\x00\x00_\x01\x00d\x00\x00S(\x01\x00\x00\x00N(\x02\x00\x00\x00u\x04\x00\x00\x00argsu\x06\x00\x00\x00…
Network Services• Samba!
• WWW!
• WebDAV!
• Proxies!
• SSH!
• Other stuff!
Network ServicesLocal-hosted CGI
scripts are used for device management
“stuff”
• Backup & restore • Application installation • Device reset • Limited logging control • Limited PIM management • Enterprise registration • Etc
WiFi• Many device management
functions happen over HTTP/SMB with the option of operating over WiFi
• Handset acts as an UPnP gateway
• There are some real problematic areas observable over WiFi
USB
• Mass storage? Nay, Ethernet!
• Similar to WiFi (WWW/SMB), with additional capabilities
Bluetooth
• Tether your handset to your tablet
• SapphireProxy (get it?)
• WebDAV
• HTTP proxy
• Protected by pf
BlackBerry “Bridge” / SapphireProxy
This service has had problems in the past… *
* Barely recognizable BattleStar reference
NFCIt works and there are no security problems?
• Haven’t really explored this ourselves.
• Biggest concern likely bad NDEF message parsing by 3rd party native apps
Local Application• Malware / Client-
side attacks
• Insufficient controls on sensitive local file and network resources
• Privilege escalations are like gold
Balance• An attempt at solving BYOD
• “Perimeters” manage the separation between personal and enterprise applications, data, and network resources
• Enterprise perimeter security is controlled by BES and enforced locally
Balance
Concerned Consumer:
Sounds great. How does it work? I am familiar with the iOS security model and might expect to see some sort of sandboxing technology to enforce this separation.
BalanceRIM:
I don’t want to say that it’s all based on file permissions…
…but it’s all based on file permissions
Future Work
TODO• Further (re-)exploration of...
• authman
• system IPC endpoints
• Balance
• Android support
• Radio (NFC, Cell/BB, BT)
• HDMI, USB
Conclusion
Questions / Contact• https://twitter.com/quine
[email protected]@duosecurity.com
• https://twitter.com/bnull [NO_EMAIL_PROVIDED]
<--shameless plug