Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin
Jun 30, 2013 Alexander Antukh
Security Consultant Offensive Security Certified Expert Interests: kittens and stuff
/whoami Yury Chemerkin Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing
/whoami Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 4 Blackberry OS review
Built on QNX!
Tiny Micro-kernel architecture Virtual memory alloc for each process POSIX-compilant
QNX = MK + PM + processes
Dissecting Blackberry Z10 5 Blackberry OS review
That’s how the system looks like:
Dissecting Blackberry Z10 6 Blackberry OS review
That’s how the microkernel looks like:
Dissecting Blackberry Z10 7 Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10 8 Shell Access
Extremely easy! development mode on generate a 4096-bit RSA key (ssh-keygen/putty) blackberry-connect -sshPublicKey Even easier: Dingleberry nuts /accounts/devuser/ Dissecting Blackberry Z10 9 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 10 The Approaches 1. General permissions SUID/SGID -rwxrwsrwx 1 root root Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name \"config*\”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls" Dissecting Blackberry Z10 11 The Approaches 2. Fuzzers IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000 Binary bit-/byteflipping (EDB-ID #7823) Dissecting Blackberry Z10 12 The Approaches 3.1. System utilities. BOFs Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl. Dissecting Blackberry Z10 13 The Approaches 3.1. System utilities. BOFs Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHAL- r086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff Dissecting Blackberry Z10 14 The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. Dissecting Blackberry Z10 15 The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM) Dissecting Blackberry Z10 16 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 17 Firmware from the inside Firmware update? Yes, please! MFCQ QNX image Dissecting Blackberry Z10 18 Firmware from the inside Tools to deal with: qfcm_parser.py partitions! chkqnx6fs info about the images dumpifs IFS dump https://github.com/intrepidusgroup/pbtools Dissecting Blackberry Z10 19 Firmware from the inside Pearls inside: ALL the scripts and configs can be read now! .script (starting up) ifs_variables.sh (sysvars) os_device_image_check Microkernel itself Dissecting Blackberry Z10 20 Firmware from the inside Pearls inside: Protected tools can be launched now! Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent persist-tool: BuildDate: Nov 3 2012 … IsInsecureDevice: false insecure syscalls HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 can be reproduced MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 (read/dump data) Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 Dissecting Blackberry Z10 21 Firmware from the inside Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen … and more // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() Dissecting Blackberry Z10 22 Firmware from the inside Pearls inside: Facebook – too much;) IDs Emails Mobile phones Plaintext! Secrets Passwords Dissecting Blackberry Z10 23 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 24 Playing with the browser Webkit rendering engine Vulnerabilities are just the same (i.e. as for Google Chrome) Dissecting Blackberry Z10 25 Playing with the browser Local file access from the browser HTML page as an email attachment file:// nuts Currently the vulnerability is removed Dissecting Blackberry Z10 26 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 27 Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743 BlackBerry Z10 smartphone only Currently the vulnerability is removed Dissecting Blackberry Z10 28 Security on the Application Level Special artifacts “.all” as a kind of logs PATH : /pps/system/ Dissecting Blackberry Z10 29 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 30 Funny with APIs Useful ideas that make no enough sense Merging permissions into one group No way to emulate hardware inputs but results of pressing are strongly restricted if there are Sandbox Malware is a personal application subtype in terms of blackberry’s security Sandbox protects only app data, while user data stored in shared folders Dissecting Blackberry Z10 31 Funny with APIs Non-controlled activity by any permission Accessing to data passed through the clipboard Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default MediaPlayer is a great way to access to the FS Access to file system in many ways and most cases managing device’s resources Camera activity, Contact photos Calendar event attachments Message attachments (Email, BBM) Saving records (camera photos, video, audios) Dissecting Blackberry Z10 32 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 33 BlackBerry MDM 100 Agenda 1200 90 1100 1000 80 80,00 70 800 60 55 50 600 38,46 31,82 10,26 40 16 400 30 16 49 20 20 5 7 7 4 4 200 10 80 0 0 BlackBerry Old iOS BlackBerry QNX Android Quantity of Groups 55 16 7 4 Average perm per group 20 5 7 4 Efficiency 80,00 38,46 31,82 10,26 Totall permissions 1100 80 49 16 Dissecting Blackberry Z10 34 Quantity of Groups Average perm per group Efficiency Totall permissions Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 35 Efficiency of security features Activity Common Min/Average/Max quantity :: 2 / 8 / 34 Additional Min/Average/Max quantity :: 0 / 2 / 7 Derived Min/Average/Max quantity :: 3 / 31 / 116 Permission Common Min/Average/Max quantity :: 0 – 1 – 3 Additional Min/Average/Max quantity :: 1 – 0 – 1 Derived Min/Average/Max quantity :: 4 – 4 – 8 APIs Common / Significant quantity :: 100 – 61 The most security unit is LED activity Dissecting Blackberry Z10 36 Efficiency of security features Ratio of common activities to permissions 35 34 30 25 21 20 18 17 15 14 10 8 7 6 6 5 5 4 4 4 4 5 4 3 3 4 3 3 2 2 2 2 2 2 2 0 1 1 1 1 1 1 1 1 1 1 Q. of m.+a. activity Q. of m.+a. permission Dissecting Blackberry Z10 37 Efficiency of security features Ratio of derived activities to permissions 120 116 100 89 80 59 60 47 46 40 27 24 23 24 25 19 20 16 11 6 7 9 3 3 8 2 4 5 0 1 3 3 1 3 1 2 2 2 1 2 1 1 1 2 1 Q. of derived activities Q. of derived perm Dissecting Blackberry Z10 38 Efficiency of security features 250,00 250,00 250,00 200,00 150,00 12,50 3,37 66,67 3,45 9,09 100,00 14,29 8,70 88,89 16,67 66,67 5,08 66,67 66,67 60,00 5,26 16,67 50,00 50,00 50,00 50,00 5,56 33,33 6,25 4,26 25,00 25,00 25,00 3,70 19,05 14,29 16,67 11,76 5,88 2,17 4,17 8,00 7,14 0,00 % m+a activity vs perm % m+a derived activity vs perm Dissecting Blackberry Z10 39 Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research Dissecting Blackberry Z10 40 Future research Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous Dissecting Blackberry Z10 41 Full articles … are available here (no SMS to send is required! Free for a very limited time!) Blackberry Z10 research http://goo.gl/dP9iR Blackberry and more http://goo.gl/PpXxg Dissecting Blackberry Z10 42