Picking blackberries

1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

GRRCON 2014

Picking Blackberries

THOMAS RICHARDS


About Me

• Thomas Richards

• Security Consultant @ Cigital, Inc

• @g13net - Twitter

• Web App, Mobile, Red Team

assessments

• Organizer for BsidesROC

• Presented previously at DerbyCON,

GrrCON, CarolinaCON, BsidesSF


ToC

• 0x1 Intro + History

• 0x2 BB10 Platform Security

• 0x3 BB10 Simulator

• 0x4 BB10 Apps

• 0x5 Misc


0x1 Intro


Blackberry

• What is Blackberry?

o Formally Research in Motion(RIM)

oCanadian

o Started with Pagers

• Introduced its first smartphone to receive corporate email in April 2000

• Very popular with governments and businesses

oUntil about 2007



BBOS

• Original proprietary OS used on

Blackberry handsets

• Ran Java Apps

• If you owned a Blackberry before 2013

this is what you used

• Last version released is 7.1


BB10

• In an attempt to stay relevant and

compete against iOS and Android, BB

released BB10

• Radical departure from previous Oses

• Based on QNX

• What happened to BB8 and BB9?


QNX

• Commercial Unix-like real-time operating

system.

• Originally targeted at the embedded

systems market

• First version released in 1982


QNX Cont.

• Micro-kernel Based

• Real-Time Operating System

• POSIX compliant


QNX Architecture


Acquired by BB

• QNX was bought by BB in 2010

• The next day, access to the source code

was restricted

• The Blackberry Playbook was the first

BB device to run a QNX based OS

• Tablet OS


Playbook


Z10

• First BB10 based phone

• Released in 2013

• Did not include a hardware keyboard


Insert picture of Z10


Tablet OS Vs BB10

• Aside from UI changes

• Android Applications

oWha????


Android on BB10

• Full Android Environment and runtime

• Originally Apps needed to be “wrapped”

• Newer versions support traditional APKs

• App Stores?

o Play Store was not there

o BB announced partnership with Amazon to

include Amazon Store in BB10.3


0x2 BB10 Platform Security


Landscape

• The Playbook was rooted early on, BB

was determined to prevent that on new

BB10 phones

• Introduced a number of hardware and

software security measures to keep the

devices secure and locked


Rooting Playbook

• Took advantage of unsigned backup files

• Modifies the backup and edits

Samba.conf

• Blackberry patched this.

• Dingleberry


System Protection

• To prevent exploits:

o ASLR is enabled

o Stack Canaries

oDEP


Hardware Protection

• Firmware images are signed

• Blackberry controls both the hardware

and software

• Keys to verify the firmware images are

embedded


Secure Boot


Application Sandboxing

• Done by filesystem permissions

• Enforced by authman

• Memory is also contained


Authman

• Authorization Manager

• Resource manager which handles

requests from processes

• Apps send requests through launcher

• Authman verifies the apps have

permission to access the service or

component they are requesting


Dual Persona

• Blackberry Balance

oWork and Personal “spaces”

o Enforced by filesystem permissions and

authman

oWork apps are separate from personal ones


Balance Boundries

• When I had access to BB10 in an

enterprise environment….

• The Workspace was able to access files

and information in the personal space

o Email information, clipboard

o These files were world-readable


0x3 BB10 Simulator


Developing for BB10

• BB offers a simulator to test apps without

needing a BB10 device

• Vmware image

• x86

o Actual BB10 devices are ARM


No Registration Required!


Simulator


Couple of Caveats

• Applications compiled for the Sim need

to be recompiled for a device

o Symbols get stripped when compiled for a

device

• No root access*

• No Blackberry World access*


Rooting the Simulator

• Wanted to start digging around at the

internals of the system.

• Already had shell access

• How to get root?


Editing the FS

• Needed to mount vmware disk image in

another VM in order to modify the disk

• Linux only has read support for the

QNX6 FS(what is one the BB10)

• Solution?


QNX Neutrino VMWare Image


QNX Neutrino Vmware Image

• No registration needed

• QNX environment which supports QNX6!

• Profit!


How to root

• Add BB10 sim disk to QNX SDP VM

• Boot

• Mount the disk

• Edit /etc/shadow to include a root entry

o I copied the devuser entry from the QNX

image so I knew the password

• Woot.




Shadow file


Blackberry World Access

• On Beta releases of the Sim, BBWorld

access was restricted

• Two things were needed:

o Blackberry ID

o Valid Hardware ID

• Found a way to spoof it and gain

BBWorld access


However…

• It appears BB has made my efforts futile

• BBWorld works on version 10.0.09-2372

of the simulator

• Without changes ?



Next Steps

• Explore file system

• See Zach Lanier and Ben Nell’s talk from

CanSecWest


0x4 BB10 Apps


Write apps in…

• Native

oC/C++

• HTML5

• Adobe AIR

• Android!


BB10 App Packaging

• BAR files

• Similar to APKs, basically signed ZIP

archives

• Will contain two directories, META-INF

and native(or android)


Exploded BAR


META-INF

• Contains MANIFEST.MF

• Package Information

• Checksums

• Etc.


Native/

• Bardescriptor.xml

• Application binary and assets


Exploring BBWorld

• With World access on the rooted

simulator

• We can start to explore and pick apart

apps on the market


Casual Observations

• Want to do mobile banking?

• Only two US banks are:

oWells Fargo

o BoA

• Lots of European and Canadian Banks!


Oh and…

• Of course Bitcoin


Details, Details


Reviews


Sachesi

• Open source tool to extract, search,

(un)install BB firmware and applications

• Also can backup, restore, wipe, and

nuke a device

• New version has access to browse BB

World


AppWorld


Firmware


Installing Apps


Repacking Apps

• As stated before, each BAR file will

contain META-INF/ and native/(or

android/) directories.

• When an app is installed on a device, the

BAR file gets removed.

• What is left behind…..



Yay….

• The public/ dir isn’t needed

• With root access to the simulator

• With BB World running on the simulator

• …

• We can extract apps from the simulator

for repacking(malicious or piracy)


Quick Note

• Pretty sure third party BB app stores

aren’t a thing.

• This is purely academic


How to Repack A BB App

• Sign up and get a BB Developer Cert

o Free!

o Incredibly long process…not detailing here

• Download app from World in simulator

• Extract installed directory

• Add META-INF/ and native/ to new .BAR file(just a ZIP)

• Sign .BAR with your cert

• Profit!


Creating the Bar


Signing the Bar


Sachesi again

• Debug token is not needed to install

BARs onto a BB

• They can be sideloaded with Sachesi


Installed BAR


App on Device


Proxy Settings

• So you want to fiddle with an app that is

running on the device

• BB10 contains settings to enable a proxy

and install root CA certificates(like

Burp’s)


Proxy Settings


How to Import a Cert


Traffic in Burp


0x5 Misc


Device DoS

• There are lots of QNX documents

available online

• Browsing around, /dev/shmem took

interest


/dev/shmem


Exploit

• /dev/shmem is the entire RAM

• Using DD you can just fill the entire RAM

• dd if=/dev/zero of=/dev/shmem/dos

bs=1-24 count=1000000000

• Device will require a reboot


Reporting

• Told BB about it, this was their response:

• While it would be ideal to have the

system be more stable under intentional

resource exhaustion by non-privileged

apps, that's an area for future design

changes and not a vulnerability we would

release a security update for.

• TL;DR – We’ll look into it later


The Clipboard

• World readable and writeable directory

• Apps can write files outside of their

sandbox

• Any app can read the clipboard file

without using APIs(like in Android and

iOS)


Insert Picture of balls created


Code for scraping clipboard

//open file as binary

char content[250];

FILE *fp =

fopen("/accounts/1000/clipboard/text.plain"

, "r");

int rc = fscanf(fp, "%s", &content);


Blackberry-connect

• Shell access to a device is very limited.

• Only SSH

• Must use blackberry-connect to push

public key

• Must auth with private key

• devuser


Interesting bits


Technology

Picking blackberries