Professional Documents
Culture Documents
(PDF) Yury Chemerkin Defcon 2013
(PDF) Yury Chemerkin Defcon 2013
Alexander Antukh
Security Consultant Offensive Security Certified Expert Interests: kittens and stuff
/whoami
Yury Chemerkin
Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing
/whoami
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Blackberry OS review
Built on QNX!
Tiny Micro-kernel architecture Virtual memory alloc for each process POSIX-compilant
QNX = MK + PM + processes
Dissecting Blackberry Z10
Blackberry OS review
Thats how the system looks like:
Blackberry OS review
Thats how the microkernel looks like:
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Shell Access
Extremely easy!
development mode on generate a 4096-bit RSA key (ssh-keygen/putty) blackberry-connect <t> -password <p> -sshPublicKey <k> ssh 169.254.0.1 nuts
Even easier:
Dingleberry nuts /accounts/devuser/
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
10
The Approaches
1. General permissions SUID/SGID -rwxrwsrwx 1 root root Writable files and folders
"find all suid files" => "find / -type f -perm -04000 ls "find all sgid files" => "find / -type f -perm -02000 ls "find config* files" => "find / -type f -name \"config*\ "find all writable folders and files" => "find / -perm -2 ls "find all writable folders and files in current dir" => "find . -perm -2 -ls"
11
The Approaches
2. Fuzzers IOCTL fuzzing no params overlong strings pre-determined DWORDs
Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000
12
The Approaches
3.1. System utilities. BOFs
Many missing: setuidgid, id, dumpifs Many interesting: confstr current configuration including path, architecture and network info dmc digital media controller fsmon file system monitor jsc JavaScript engine for Webkit used on a device ldo-msm LDO Driver mkdosfs format a DOS filesystem (FAT-12/16/32) mkqnx6fs format a filesystem (for QNX6, however, is presented in Blackberry OS) and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl.
13
The Approaches
3.1. System utilities. BOFs
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff
14
The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.
15
The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM)
16
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
17
18
https://github.com/intrepidusgroup/pbtools
19
20
21
and more
// TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc()
22
Plaintext!
23
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
24
25
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
27
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
30
31
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
33
100 90 80 70 60 50 40 30 20 10 0
Quantity of Groups Average perm per group Efficiency Totall permissions
34
1200
1000
16 20
iOS 16 5 38,46 80
Android 4 4 10,26 16
Quantity of Groups
Totall permissions
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
35
36
34
30
25
21
20
18
17 14 8 6 3 3 2 2 2 4 2 1 1 1 1 4 4 4 3 1 4 2 2 5 1
15
10
6
5
7 5 4 1 3 2 1 1
Q. of m.+a. activity
Q. of m.+a. permission
37
116
100
89
80
60
59 47 46 27
40
24
20
23 16 7 11 3 1 2 2 2 1 3 2
19 9 8 1 1
24
25
6
0
25
Q. of derived activities
Q. of derived perm
38
250,00
200,00
250,00
150,00
12,50
100,00
9,09
66,67 88,89 5,26 50,00 50,00 33,33 25,00 2,17 4,17 8,00
50,00
25,00
3,70 7,14
0,00
39
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
40
Future research
Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous
41
Full articles
are available here (no SMS to send is required! Free for a very limited time!)
http://goo.gl/dP9iR http://goo.gl/PpXxg
42