(PDF) Yury Chemerkin Defcon 2013

Dissecting Blackberry Z10: 2-in-1
By Alexander Antukh & Yury Chemerkin
Jun 30, 2013
Alexander Antukh
Security Consultant Offensive Security Certified Expert Interests: kittens and stuff
/whoami
Yury Chemerkin
Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing
/whoami
Agenda
Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research
Dissecting Blackberry Z10
Blackberry OS review
Built on QNX!
Tiny Micro-kernel architecture Virtual memory alloc for each process POSIX-compilant
QNX = MK + PM + processes
Thats how the system looks like:
Thats how the microkernel looks like:
Agenda
Shell Access
Extremely easy!
development mode on generate a 4096-bit RSA key (ssh-keygen/putty) blackberry-connect <t> -password <p> -sshPublicKey <k> ssh 169.254.0.1 nuts
Even easier:
Dingleberry nuts /accounts/devuser/
Agenda
10
The Approaches
1. General permissions SUID/SGID -rwxrwsrwx 1 root root Writable files and folders
"find all suid files" => "find / -type f -perm -04000 ls "find all sgid files" => "find / -type f -perm -02000 ls "find config* files" => "find / -type f -name \"config*\ "find all writable folders and files" => "find / -perm -2 ls "find all writable folders and files in current dir" => "find . -perm -2 -ls"
11
The Approaches
2. Fuzzers IOCTL fuzzing no params overlong strings pre-determined DWORDs
Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000
Binary bit-/byteflipping (EDB-ID #7823)
12
The Approaches
3.1. System utilities. BOFs
Many missing: setuidgid, id, dumpifs Many interesting: confstr current configuration including path, architecture and network info dmc digital media controller fsmon file system monitor jsc JavaScript engine for Webkit used on a device ldo-msm LDO Driver mkdosfs format a DOS filesystem (FAT-12/16/32) mkqnx6fs format a filesystem (for QNX6, however, is presented in Blackberry OS) and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl.
13
The Approaches
3.1. System utilities. BOFs
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff
14
The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.
15
The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM)
16
Agenda
17
Firmware from the inside

Firmware update? Yes, please! MFCQ QNX image
18
Firmware from the inside

Tools to deal with:
qfcm_parser.py partitions! chkqnx6fs info about the images dumpifs IFS dump
https://github.com/intrepidusgroup/pbtools
19
Firmware from the inside Pearls inside:

ALL the scripts and configs can be read now! .script (starting up) ifs_variables.sh (sysvars) os_device_image_check Microkernel itself
20

Protected tools can be launched now!
persist-tool: insecure syscalls can be reproduced (read/dump data)
Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00
21

Funny comments (code reviewers will like it)
function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen
and more
// TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc()
22

Facebook too much;) IDs Emails Mobile phones Secrets Passwords
Plaintext!
23
Agenda
24
Playing with the browser

Webkit rendering engine Vulnerabilities are just the same (i.e. as for Google Chrome)
25
Playing with the browser

Local file access from the browser
HTML page as an email attachment file:// nuts
Currently the vulnerability is removed

26
Agenda
27
Security on the Application Level

BlackBerry Z10 Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743 BlackBerry Z10 smartphone only
Currently the vulnerability is removed
28
Security on the Application Level

Special artifacts .all as a kind of logs PATH : /pps/system/<name>/.all Browsers : history Networking : ID, flags, MACs Device IDs : Hardware, PIN, Name, Serials, etc. Video Chats : params, call details: BlackBerry Bridge SapphireProxy Status, name, address, auth token, key Autostart param Routes: BB, BIS, BER: 127.0.0.2:188/189/187 Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device
Currently there is no details if it is solved Authors opinion : cant be solved or cracked in similar ways
29
Agenda
30
Funny with APIs

Useful ideas that make no enough sense Merging permissions into one group No way to emulate hardware inputs but results of pressing are strongly restricted if there are Sandbox Malware is a personal application subtype in terms of blackberrys security Sandbox protects only app data, while user data stored in shared folders
31
Funny with APIs

Non-controlled activity by any permission Accessing to data passed through the clipboard Access to Accounts leads to a read access to contacts,messages, notebooks, calendar by default MediaPlayer is a great way to access to the FS Access to file system in many ways and most cases managing devices resources Camera activity, Contact photos Calendar event attachments Message attachments (Email, BBM) Saving records (camera photos, video, audios)
32
Agenda
33
100 90 80 70 60 50 40 30 20 10 0
Quantity of Groups Average perm per group Efficiency Totall permissions
34
BlackBerry MDM Agenda

1100 80,00
1200
1000
800 55 38,46 600 31,82 10,26 16 49 5 80 0 7 7 4 4 200 400
16 20
BlackBerry Old 55 20 80,00 1100
iOS 16 5 38,46 80
BlackBerry QNX 7 7 31,82 49
Android 4 4 10,26 16
Quantity of Groups
Dissecting Z10 Average perm Blackberry per group Efficiency
Totall permissions
Agenda
35
Efficiency of security features

Activity Common Min/Average/Max quantity :: 2 / 8 / 34 Additional Min/Average/Max quantity :: 0 / 2 / 7 Derived Min/Average/Max quantity :: 3 / 31 / 116 Permission Common Min/Average/Max quantity :: 0 1 3 Additional Min/Average/Max quantity :: 1 0 1 Derived Min/Average/Max quantity :: 4 4 8 APIs Common / Significant quantity :: 100 61 The most security unit is LED activity
36

Ratio of common activities to permissions
35
34
30
25
21
20
18
17 14 8 6 3 3 2 2 2 4 2 1 1 1 1 4 4 4 3 1 4 2 2 5 1
15
10
6
5
7 5 4 1 3 2 1 1
Q. of m.+a. activity
Q. of m.+a. permission
37

Ratio of derived activities to permissions
120
116
100
89
80
60
59 47 46 27
40
24
20
23 16 7 11 3 1 2 2 2 1 3 2
19 9 8 1 1
24
25
6
0
25
Q. of derived activities
Q. of derived perm
38

250,00
250,00
200,00
250,00
150,00
12,50
100,00
3,45 16,67 16,67 60,00 19,05 5,88 14,29 5,08
3,37 8,70 66,67 6,25 16,67 66,67 66,67
9,09
66,67 88,89 5,26 50,00 50,00 33,33 25,00 2,17 4,17 8,00
50,00 5,56 14,29 4,26 11,76 25,00
50,00
25,00
3,70 7,14
0,00
% m+a activity vs perm
% m+a derived activity vs perm
39
Agenda
40
Future research
Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous
41
Full articles
are available here (no SMS to send is required! Free for a very limited time!)
Blackberry Z10 research Blackberry and more
http://goo.gl/dP9iR http://goo.gl/PpXxg
42

(PDF) Yury Chemerkin Defcon 2013

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(PDF) Yury Chemerkin Defcon 2013

Uploaded by

Copyright:

Available Formats

Dissecting Blackberry Z10: 2-in-1

By Alexander Antukh & Yury Chemerkin

Jun 30, 2013

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Binary bit-/byteflipping (EDB-ID #7823)

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Firmware from the inside

Dissecting Blackberry Z10

Firmware from the inside

Dissecting Blackberry Z10

Firmware from the inside Pearls inside:

Dissecting Blackberry Z10

Firmware from the inside Pearls inside:

Dissecting Blackberry Z10

Firmware from the inside Pearls inside:

Dissecting Blackberry Z10

Firmware from the inside Pearls inside:

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Playing with the browser

Dissecting Blackberry Z10

Playing with the browser

HTML page as an email attachment file:// nuts

Currently the vulnerability is removed

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Security on the Application Level

Dissecting Blackberry Z10

Security on the Application Level

Dissecting Blackberry Z10

Dissecting Blackberry Z10

Funny with APIs

Dissecting Blackberry Z10

Funny with APIs

Dissecting Blackberry Z10

Dissecting Blackberry Z10

BlackBerry MDM Agenda

800 55 38,46 600 31,82 10,26 16 49 5 80 0 7 7 4 4 200 400

BlackBerry Old 55 20 80,00 1100

BlackBerry QNX 7 7 31,82 49

Dissecting Z10 Average perm Blackberry per group Efficiency

Dissecting Blackberry Z10

Efficiency of security features

Efficiency of security features

Dissecting Blackberry Z10

Efficiency of security features

Dissecting Blackberry Z10

Efficiency of security features

3,45 16,67 16,67 60,00 19,05 5,88 14,29 5,08

3,37 8,70 66,67 6,25 16,67 66,67 66,67

50,00 5,56 14,29 4,26 11,76 25,00

% m+a activity vs perm