2. Introduction
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory
• Research is on-going
• Focused mostly on
methodology, less on
findings
• Feel free to chat after
(since we may run out of
time)
• Title is because
stereotypical Canadians
apologize for everything
3. Introduction
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level
• Presentation is exploratory
• Research is on-going
• Focused mostly on
methodology, less on
findings
• Feel free to chat after
(since we may run out of
time)
• Title is because
stereotypical Canadians
apologize for everything
4. Introduction
Ben Nell
bNull
Sr. Security Consultant
Accuvant Labs
Zach Lanier
quine
Sr. Security Researcher
Duo Security
Presentation foul:
<--- mixing memes --->
10. Our PlayBook stuff
• Targeted predecessor of BB10
— TabletOS on BB PlayBook
• Discovered AuthZ token
disclosure for Bridge/Balance
(steal all the corporate data)
• RE’d firmware
• Mirrored all of AppWorld (steal
all the premium apps)
• And more...
11. Our PlayBook stuff (cont’d)
• Discovered that native apps
can exec*() / spawn*() and
open AF_INET sockets
unfettered (no perm’s req’d)
• Still true in BB10, but (even
detached) child procs killed
when app/parent ends
• “Headless Apps” allow for
background services, but
special perms required
• Granting of perms is
contingent upon approval
from RIM/BB signing
service
12. Others
• Julio Cesar Fort’s QNX
research
• SEC Consult BB10 paper
• RPW’s BB10 preso (BH
USA ’13)
• Tim Brown’s various
QNX/TabletOS/BB10
works
14. Overview
• ARM-based SoCs (Z10, Q10, and Z30
all Snapdragon S4 SoC)
• BB10 (based on QNX Neutrino RTOS
8.0.0)
• Major components (as of 10.2.1.1925):
• WebKit (537.10 / 10.2.1.66)
• Adobe Flash (11.1.121.199)
• Adobe AIR (3.1.0.230)
• BlackBerry Balance (isolated,
corporate PIM)
15. QNX
• Microkernel, only truly trusted
component
• Userspace kernel and
process manager - procnto
• Separation of network,
I/O, HMI, etc. into separate
components
• Messaging layer provides
IPC (QNX message passing
+ POSIX IPC abstraction)
• Prev. public bugs disclosed
by Ilja van Sprundel, Tim
Brown, Julio Cesar Fort,
cenobite, and others
18. Security Features
• Blackberry Balance
• Encrypted, FACL’d “container”
• a.k.a. “perimeter”
• BES policy enforcements
• DISA STIGs guide these
19. authman & permissions
• authman service - maps app permissions
to system resources
• Filesystem permissions + POSIX ACLs, PF
rules
• Shell script and Python glue to bind it all
together
20. authman & permissions
• /dev/authman: resource manager “dispatch”
path (QNX IPC endpoint)
• /etc/authman: configs
• Pair of files (".res" & ".acl"), named for profile type
21. authman & permissions
• Controls access to
app permissions
(allow, prompt, deny)
• Sets FACLs on
filesystem objects
based on app
permission requested
• Also sets process
capabilities for certain
permission types (e.g.
“Headless apps”)
22. authman & pf
• authman handles
setting up (app)
GID:rule mapping
• Ex: limiting access
to SapphireProxy
(for BB Bridge) on
127.0.0.2
23. Dec 06 01:53:04 5 41 0 authman: RX euid=89/egid=0, 'defapp ext __def personal dual 100001000 100001000
sys.browser.gYABgJYFHAzbeFMPCCpYWBtHAm0 "Browser" "Research In Motion Limited" "gYAAgNpMbwE-h
W4khx0h8BidUeI" run_when_backgrounded manage_certificates access_location_services use_camera record_audio access_shared access_internet
post_notification gain_oma_fl_group access_oma_fl_write_personal acce
ss_oma_fl_write_enterprise access_bbjma_data access_carrier_browser access_cclagent_service use_certmgr_server access_wifi_limited run_native
permanent access_perimeter_personal'
Dec 06 01:53:04 5 41 0 authman: Requested caps:
Dec 06 01:53:04 5 41 0 authman: req:Allow execute
Dec 06 01:53:04 5 41 0 authman: Applying execute
Dec 06 01:53:04 5 41 0 authman: pf_remove_gid: scanning anchors for gid=100001000
Dec 06 01:53:04 5 41 0 authman: Requested caps:
Dec 06 01:53:04 5 41 0 authman: req:Allow run_when_backgrounded
Dec 06 01:53:04 5 41 0 authman: req:Allow manage_certificates
Dec 06 01:53:04 5 41 0 authman: req:Allow access_location_services
Dec 06 01:53:04 5 41 0 authman: req:Allow use_camera
Dec 06 01:53:04 5 41 0 authman: req:Allow record_audio
Dec 06 01:53:04 5 41 0 authman: req:Allow access_shared
Dec 06 01:53:04 5 41 0 authman: req:Allow access_internet
Dec 06 01:53:04 5 41 0 authman: req:Allow gain_oma_fl_group
Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_personal
Dec 06 01:53:04 5 41 0 authman: req:Allow access_oma_fl_write_enterprise
Dec 06 01:53:04 5 41 0 authman: req:Allow access_bbjma_data
Dec 06 01:53:04 5 41 0 authman: req:Allow access_carrier_browser
Dec 06 01:53:04 5 41 0 authman: req:Allow access_cclagent_service
Dec 06 01:53:04 5 41 0 authman: req:Allow use_certmgr_server
Dec 06 01:53:04 5 41 0 authman: req:Allow access_wifi_limited
Dec 06 01:53:04 5 41 0 authman: req:Allow run_native
Dec 06 01:53:04 5 41 0 authman: req:Allow permanent
Dec 06 01:53:04 5 41 0 authman: req:Allow access_perimeter_personal
Dec 06 01:53:04 5 41 0 authman: Applying run_when_backgrounded
Dec 06 01:53:04 5 41 0 authman: Applying manage_certificates
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/certmgr/control
Dec 06 01:53:04 5 41 0 authman: Applying access_location_services
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_cdma_private
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_cell_private
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/cellular/radioctrl/status_private
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=040, /pps/services/radioctrl/modem0/status_private
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/geomonitor/control
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=050, /pps/services/geolocation/geomonitor
Dec 06 01:53:04 5 41 0 authman: set_acl_group_perms: gid=100001000, perms=060, /pps/services/geolocation/control
“Capabilities” based
on permissions
ACLs based on
permissions
pf rule(s)
output from sloginfo (tool to print system log)
24. PPS
• “Persistent Publish / Subscribe”
• Implemented by pps manager process
• Simple interface for sharing data,
notifications/eventing via filesystem objects
25. IPC
• IPC is key in QNX
• “Message passing” & signals implemented
in microkernel
• Other IPC (POSIX-compatible) mechanisms
implemented by manager processes
Message passing
Shared memory Pipes FIFOs
Message copying Simple messages Channels
Events
(pulses, signals,
unblocks)
Typed memory
Signals
Kernel
Kernel
External
process/manager
27. Application Model
• App processes run with same UIDs, but separate
GIDs (incl. supplemental GIDs)
!
!
• Apps have separate data stores/”sandboxes”
• With Balance/corporate separation, additional data
stores
• Production apps are signed by BB/RIM signing server
28. Our Approach to the
Platform
meth·od·ol·o·gy
/ ˌmeTHəәˈdäləәjē/( )
30. Testing Limitations
• General lack of enthusiasm for BB10 as a
target
• General lack of public information about
the system
• Effective security controls
• We’re left looking at a black box
32. OSINT
Existing previous work
• Our PlayBook work
• SEC Consult paper
• Works by RPW, Tim Brown,
Julio Cesar Fort, etc.
• Not a ton of stuff out there
https://www.sec-consult.com/fxdata/seccons/prod/downloads/sec_consult_vulnerability_lab_blackberry_z10_initial_analysis_v10.pdf
33. OSINT
QNX Foundry
• Man pages for QNXisms
• Downloads
• Forums
• Wiki
• Google dorks are
golden…
35. OSINT
Some random RIM employee’s file dump?
Upcoming product feature assessment
hardware
code names
Upcoming project effort estimations/ release dates
36. OSINT
• Body Level One
• Body Level Two
• Body Level Three
• Body Level Four
• Body Level Five
Some random RIM employee’s file dump?
Internal bug tracker
internal URL
37. OSINT
Some random RIM employee’s file dump?
Pre-release BB10 developer image for
Winchester/PlayBook
39. Dynamic Analysis
RIM wants to get your hacking^Wdevelopment
projects up and running as quickly as possible!
Lots of SDK stuff, including a native SDK, giving us:
• libc, libcurl, OpenSSL, V8,
and tons more
• Easy cross-compilation
41. Dynamic Analysis
Momentics target navigator
Proc/thread mem info
FS nav, etc.
Controller app
Controls NFC, Camera,
geoloc, etc. for Simulator
42. Dynamic Analysis
• Momentics provides QNX-specific versions/
builds of the typical toolchain
• gdb
• also objdump, nm, readelf, gcc, etc.
43. Dynamic Analysis
Blackberry Simulator QNX Software Dev Platform (SDP)
• Gives us something similar
to the real thing
• We can have root access*
• Access to tools relevant to
the real thing
• MDS Simulator
• It’s like the non-official
“platform” debug tool
• A fully accessible QNX
environment
* - with a bit of work
44. Dynamic Analysis
Just another box on the network
• Testing harness
• Wireshark
• Proxy (Burp and
friends)
• nmap
• Various fizzers
• Custom stuff
57. Static Analysis
Getting Firmware
• MITM the CDN downloads
• The “community” has built
some good tools
http://forums.crackberry.com/bb10-leaked-beta-os-f395/sachesi-firmware-extractor-searcher-installer-825409/
58. Static Analysis
Getting Into the Firmware
• “pbtools”
• Mount the firmware in Simulator or SDP
• SCP the files back out
https://github.com/intrepidusgroup/pbtools
60. Static Analysis
Python: For everything
important on BB10 that isn’t
written in bash
• Most of it is compiled
Python (bytecode;
*.pyc)
• unpyc3.py
https://code.google.com/p/unpyc3/
62. Static Analysis
Compiled binaries
• IDA cleanly disassembles
• ARM / x86
• Without a public root,
disassembly might be your
best/only bet for dorking
with many network services
65. IPC
• Numerous IPC endpoints available
• QNX channels particularly
caught our eye
• Wrote some horrible IPC
scanners / fuzzers
• Problem: not always sure WTF is
on the other end of a channel
(or able to attach to channel but
unable to send)
• Also DoS’d/froze device multiple
times during mass channel
scans
$ ./scanchan.py 643092
Could not find platform independent libraries <prefix>
Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
[+] PID: 643092 - Connected to channel: 2
[-] PID: 643092 - Error for channel 6: [Errno 1] Operation not permitted
$ ./fchan1.py 1019928 16
[+] PID: 1019928 - Connected to channel: 16
(48, b"AAAAAAAAAAAAAAAA(coid, b'Hello!')n c
x01x00x00x00x00x00x00x00x03x00x00x00x02x0
0x00x00Ox00x00x00sx16x00x00x00|x01x00|
x00x00_x00x00|x02x00|x00x00_x01x00d
x00x00S(x01x00x00x00N(x02x00x00x00u
x04x00x00x00argsux06x00x00x00…
67. Network Services
Local-hosted CGI
scripts are used for
device management
“stuff”
• Backup & restore
• Application installation
• Device reset
• Limited logging control
• Limited PIM management
• Enterprise registration
• Etc
68. WiFi
• Many device management
functions happen over HTTP/
SMB with the option of
operating over WiFi
• Handset acts as an UPnP
gateway
• There are some real
problematic areas observable
over WiFi
69. USB
• Mass storage? Nay,
Ethernet!
• Similar to WiFi
(WWW/SMB), with
additional
capabilities
70. Bluetooth
• Tether your handset to your
tablet
• SapphireProxy (get it?)
• WebDAV
• HTTP proxy
• Protected by pf
BlackBerry “Bridge” /
SapphireProxy
This service has had
problems in the past… *
* Barely recognizable BattleStar reference
71. NFC
It works and there are no security problems?
• Haven’t really
explored this
ourselves.
• Biggest concern
likely bad NDEF
message parsing by
3rd party native
apps
72. Local Application
• Malware / Client-
side attacks
• Insufficient controls
on sensitive local
file and network
resources
• Privilege
escalations are like
gold
73. Balance
• An attempt at solving BYOD
• “Perimeters” manage the
separation between personal
and enterprise applications,
data, and network resources
• Enterprise perimeter security is
controlled by BES and
enforced locally
74. Balance
Concerned Consumer:
Sounds great. How does it work?
I am familiar with the iOS security
model and might expect to see
some sort of sandboxing
technology to enforce this
separation.
75. Balance
RIM:
I don’t want to say that it’s
all based on file
permissions…
…but it’s all based on file
permissions