Dissecting Blackberry Z10:
2-in-1
By Alexander Antukh &
Yury Chemerkin

Jun 30, 2013
Alexander Antukh
 Security Consultant
 Offensive Security Certified Expert
 Interests: kittens and stuff

/whoami
Yury Chemerkin






Experienced in :
Mobile Security and MDM
Cyber Security & Cloud Security
Compliance & Transparen...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Blackberry OS review
Built on QNX!
 Tiny
 Micro-kernel architecture
 Virtual memory alloc for each process
 POSIX-comp...
Blackberry OS review
That’s how the system looks like:

6

Dissecting Blackberry Z10
Blackberry OS review
That’s how the microkernel looks like:

7

Dissecting Blackberry Z10
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Shell Access
Extremely easy!
 development mode  on
 generate a 4096-bit RSA key (ssh-keygen/putty)
 blackberry-connect...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
The Approaches
1. General permissions
 SUID/SGID
-rwxrwsrwx 1 root root
 Writable files and folders
"find all suid files...
The Approaches
2. Fuzzers
 IOCTL fuzzing
• no params
• overlong strings
• pre-determined DWORDs
Process 1924486014 (pytho...
The Approaches
3.1. System utilities. BOFs
Many missing: setuidgid, id, dumpifs…
Many interesting:
• confstr – current con...
The Approaches
3.1. System utilities. BOFs
Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11
ip=788293d2(/b...
The Approaches
3.2. System utilities. Vulnerable syscalls. displayctl.

15

Dissecting Blackberry Z10
The Approaches
3.2. System utilities. Vulnerable syscalls. nvs_write_bin.
Nonvolatile (sometimes written as "non-volatile"...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Firmware from the inside
Firmware update? Yes, please!
MFCQ  QNX image

18

Dissecting Blackberry Z10
Firmware from the inside
Tools to deal with:
qfcm_parser.py  partitions!
chkqnx6fs  info about the images
dumpifs  IFS ...
Firmware from the inside
Pearls inside:
ALL the scripts and configs can be read now!
 .script (starting up)
 ifs_variabl...
Firmware from the inside
Pearls inside:
Protected tools can be launched now!
persist-tool:
insecure syscalls
can be reprod...
Firmware from the inside
Pearls inside:
Funny comments (code reviewers will like it)
function setScreenScaling (width, hei...
Firmware from the inside
Pearls inside:
Facebook – too much;)






23

IDs
Emails
Mobile phones
Secrets
Passwords

P...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Playing with the browser
 Webkit rendering engine
 Vulnerabilities are just the same (i.e. as for Google
Chrome)

25

Di...
Playing with the browser
Local file access from the browser

HTML page as an email
attachment
file://  nuts

Currently th...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Security on the Application Level
BlackBerry Z10 – Vulnerability in BlackBerry Protect
Limited:
by the inability of a pote...
Security on the Application Level
Special artifacts “.all” as a kind of logs
 PATH : /pps/system/<name>/.all
 Browsers :...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Funny with APIs
 Useful ideas that make no enough sense
 Merging permissions into one group
 No way to emulate hardware...
Funny with APIs
 Non-controlled activity by any permission
 Accessing to data passed through the clipboard
 Access to ‘...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
BlackBerry MDM
Agenda

100
1100

90
80

1200

1000

80,00

70

800

60

55

50

600

38,46

31,82

10,26

40
30

34

5

7
...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Efficiency of security features
 Activity
 Common Min/Average/Max quantity :: 2 / 8 / 34
 Additional Min/Average/Max qu...
Efficiency of security features
Ratio of common activities to permissions
34

35

30

25

21
20

18

17
14

15

10

6

6

...
Efficiency of security features
Ratio of derived activities to permissions
116

120

100

89
80

59

60

47

46

40

24

2...
Efficiency of security features
250,00

250,00

250,00

200,00

150,00

12,50
3,37

3,45

100,00

16,67
16,67

60,00

8,70...
Agenda
Blackberry OS review
Shell Access
The Approaches
Firmware from the inside
Playing with the browser
Security o...
Future research
Image parser fuzzing
Jailbreak
IOCTL / syscalls further research
Play more with SSH
Blackberry Balanc...
Full articles
… are available here (no SMS to send is required! Free for
a very limited time!)

Blackberry Z10 research
Bl...
Upcoming SlideShare
Loading in …5
×

(Pdf) yury chemerkin def_con_2013

242 views
175 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
242
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Pdf) yury chemerkin def_con_2013

  1. 1. Dissecting Blackberry Z10: 2-in-1 By Alexander Antukh & Yury Chemerkin Jun 30, 2013
  2. 2. Alexander Antukh  Security Consultant  Offensive Security Certified Expert  Interests: kittens and stuff /whoami
  3. 3. Yury Chemerkin      Experienced in : Mobile Security and MDM Cyber Security & Cloud Security Compliance & Transparency and Security Writing /whoami
  4. 4. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 4 Dissecting Blackberry Z10
  5. 5. Blackberry OS review Built on QNX!  Tiny  Micro-kernel architecture  Virtual memory alloc for each process  POSIX-compilant QNX = MK + PM + processes 5 Dissecting Blackberry Z10
  6. 6. Blackberry OS review That’s how the system looks like: 6 Dissecting Blackberry Z10
  7. 7. Blackberry OS review That’s how the microkernel looks like: 7 Dissecting Blackberry Z10
  8. 8. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 8 Dissecting Blackberry Z10
  9. 9. Shell Access Extremely easy!  development mode  on  generate a 4096-bit RSA key (ssh-keygen/putty)  blackberry-connect <t> -password <p> -sshPublicKey <k>  ssh 169.254.0.1  nuts Even easier:  Dingleberry  nuts /accounts/devuser/ 9 Dissecting Blackberry Z10
  10. 10. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 10 Dissecting Blackberry Z10
  11. 11. The Approaches 1. General permissions  SUID/SGID -rwxrwsrwx 1 root root  Writable files and folders "find all suid files" => "find / -type f -perm -04000 –ls” "find all sgid files" => "find / -type f -perm -02000 –ls” "find config* files" => "find / -type f -name "config*”” "find all writable folders and files" => "find / -perm -2 –ls” "find all writable folders and files in current dir" => "find . -perm -2 -ls" 11 Dissecting Blackberry Z10
  12. 12. The Approaches 2. Fuzzers  IOCTL fuzzing • no params • overlong strings • pre-determined DWORDs Process 1924486014 (python3.2) terminated SIGSEGV code=1 fltno=11 ip=011c90c4(/usr/lib/ldqnx.so.2@ioctl+0x113c) mapaddr=000790c4. ref=00000000  Binary bit-/byteflipping (EDB-ID #7823) 12 Dissecting Blackberry Z10
  13. 13. The Approaches 3.1. System utilities. BOFs Many missing: setuidgid, id, dumpifs… Many interesting: • confstr – current configuration including path, architecture and network info • dmc – digital media controller • fsmon – file system monitor • jsc – JavaScript engine for Webkit used on a device • ldo-msm – LDO Driver • mkdosfs – format a DOS filesystem (FAT-12/16/32) • mkqnx6fs – format a filesystem (for QNX6, however, is presented in Blackberry OS) • and also tools such as mount, on, nfcservice, nvs_write_bin and displayctl. 13 Dissecting Blackberry Z10
  14. 14. The Approaches 3.1. System utilities. BOFs Process 57340127 (displayctl) terminated SIGSEGV code=1 fltno=11 ip=788293d2(/base/usr/lib/graphics/msm8960/displayHALr086.so@dsi_get_pclk_freq+0x121) mapaddr=000093d2. ref=00000008 Process 249935086 (nowplaying) terminated SIGSEGV code=1 fltno=11 ip=78102cce(/usr/sbin/nowplaying@main+0x19d) ref=00000000 Process 1545237780 (charge_monitor) terminated SIGSEGV code=1 fltno=11 ip=010b998c(/usr/lib/ldqnx.so.2@message_detach+0x8) mapaddr=0003998c. ref=00000028 Process 1543295477 (shutdown) terminated SIGSEGV code=1 fltno=11 ip=78117c3e(/proc/boot/shutdown-msm8960.so@pmic_ssbi_read+0x15) mapaddr=00001c3e. ref=ffffffff 14 Dissecting Blackberry Z10
  15. 15. The Approaches 3.2. System utilities. Vulnerable syscalls. displayctl. 15 Dissecting Blackberry Z10
  16. 16. The Approaches 3.2. System utilities. Vulnerable syscalls. nvs_write_bin. Nonvolatile (sometimes written as "non-volatile") storage (NVS) - also known as nonvolatile memory or nonvolatile random access memory (NVRAM) - is a form of static random access memory whose contents are saved when a computer is turned off or loses its external power source. NVS is implemented by providing static RAM with backup battery power or by saving its contents and restoring them from an electrically erasable programmable ROM (EPROM) 16 Dissecting Blackberry Z10
  17. 17. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 17 Dissecting Blackberry Z10
  18. 18. Firmware from the inside Firmware update? Yes, please! MFCQ  QNX image 18 Dissecting Blackberry Z10
  19. 19. Firmware from the inside Tools to deal with: qfcm_parser.py  partitions! chkqnx6fs  info about the images dumpifs  IFS dump  https://github.com/intrepidusgroup/pbtools 19 Dissecting Blackberry Z10
  20. 20. Firmware from the inside Pearls inside: ALL the scripts and configs can be read now!  .script (starting up)  ifs_variables.sh (sysvars)  os_device_image_check Microkernel itself 20 Dissecting Blackberry Z10
  21. 21. Firmware from the inside Pearls inside: Protected tools can be launched now! persist-tool: insecure syscalls can be reproduced (read/dump data) 21 Bootrom Version: 0x0523001D (5.35.0.29) DeviceString: RIM BlackBerry Device BuildUserName: ec_agent BuildDate: Nov 3 2012 … IsInsecureDevice: false HWVersionOffset: 0x000000D4 NumberHWVEntries: 0x00000014 MemCfgTableOffset: 0x000000FC MemCfgTableSize: 0x00000100 Drivers: 0x00000010 [ MMC ] LDRBlockAddr: 0x2E02FE00 BootromSize: 0x00080000 BRPersistAddr: 0x2E0AFC00 Dissecting Blackberry Z10
  22. 22. Firmware from the inside Pearls inside: Funny comments (code reviewers will like it) function setScreenScaling (width, height) { ... //ZOOM TO POINT IS FULL OF BUGS - Docs state that coordinates should only ever be in center of screen … and more // TODO: Once the QML bug about not being to access the page values that are provided as a parameter to this slot is fixed ... // The zipfile.ZipFile.write() method has a bug where it raises struct.error: ushort format requires 0 <= number <= USHRT_MAX // Too many bytes for PNG signature. Potential overflow in png_zalloc() 22 Dissecting Blackberry Z10
  23. 23. Firmware from the inside Pearls inside: Facebook – too much;)      23 IDs Emails Mobile phones Secrets Passwords Plaintext! Dissecting Blackberry Z10
  24. 24. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 24 Dissecting Blackberry Z10
  25. 25. Playing with the browser  Webkit rendering engine  Vulnerabilities are just the same (i.e. as for Google Chrome) 25 Dissecting Blackberry Z10
  26. 26. Playing with the browser Local file access from the browser HTML page as an email attachment file://  nuts Currently the vulnerability is removed 26 Dissecting Blackberry Z10
  27. 27. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 27 Dissecting Blackberry Z10
  28. 28. Security on the Application Level BlackBerry Z10 – Vulnerability in BlackBerry Protect Limited: by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device Affected Software  BlackBerry 10 OS version 10.0.10.261 and earlier, except version 10.0.9.2743  BlackBerry Z10 smartphone only Currently the vulnerability is removed 28 Dissecting Blackberry Z10
  29. 29. Security on the Application Level Special artifacts “.all” as a kind of logs  PATH : /pps/system/<name>/.all  Browsers : history  Networking : ID, flags, MACs  Device IDs : Hardware, PIN, Name, Serials, etc.  Video Chats : params, call details:  BlackBerry Bridge  SapphireProxy  Status, name, address, auth token, key  Autostart param  Routes: BB, BIS, BER: 127.0.0.2:188/189/187  Results : access to internal network, internal storage, media files, the rest (contacts, cal, .etc) in case of non-QNX device Currently there is no details if it is solved Author’s opinion : can’t be solved or cracked in similar ways 29 Dissecting Blackberry Z10
  30. 30. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 30 Dissecting Blackberry Z10
  31. 31. Funny with APIs  Useful ideas that make no enough sense  Merging permissions into one group  No way to emulate hardware inputs but results of pressing are strongly restricted if there are  Sandbox  Malware is a personal application subtype in terms of blackberry’s security  Sandbox protects only app data, while user data stored in shared folders 31 Dissecting Blackberry Z10
  32. 32. Funny with APIs  Non-controlled activity by any permission  Accessing to data passed through the clipboard  Access to ‘Accounts’ leads to a ‘read’ access to contacts,messages, notebooks, calendar by default  MediaPlayer is a great way to access to the FS  Access to file system in many ways and most cases managing device’s resources  Camera activity,  Contact photos  Calendar event attachments  Message attachments (Email, BBM)  Saving records (camera photos, video, audios) 32 Dissecting Blackberry Z10
  33. 33. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 33 Dissecting Blackberry Z10
  34. 34. BlackBerry MDM Agenda 100 1100 90 80 1200 1000 80,00 70 800 60 55 50 600 38,46 31,82 10,26 40 30 34 5 7 7 4 4 200 80 10 Quantity of Groups Average perm per group Efficiency Totall permissions 400 49 20 20 0 16 16 BlackBerry Old 55 20 80,00 1100 Quantity of Groups iOS 16 5 38,46 80 BlackBerry QNX 7 7 31,82 49 Dissecting per group Average perm Blackberry Z10 Efficiency Android 4 4 10,26 16 Totall permissions 0
  35. 35. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 35 Dissecting Blackberry Z10
  36. 36. Efficiency of security features  Activity  Common Min/Average/Max quantity :: 2 / 8 / 34  Additional Min/Average/Max quantity :: 0 / 2 / 7  Derived Min/Average/Max quantity :: 3 / 31 / 116  Permission  Common Min/Average/Max quantity :: 0 – 1 – 3  Additional Min/Average/Max quantity :: 1 – 0 – 1  Derived Min/Average/Max quantity :: 4 – 4 – 8  APIs  Common / Significant quantity :: 100 – 61  The most security unit is LED activity 36 Dissecting Blackberry Z10
  37. 37. Efficiency of security features Ratio of common activities to permissions 34 35 30 25 21 20 18 17 14 15 10 6 6 5 5 0 8 7 4 1 3 3 2 1 1 1 2 Q. of m.+a. activity 37 4 3 2 2 4 4 2 1 1 Q. of m.+a. permission Dissecting Blackberry Z10 1 4 4 3 1 1 2 2 5 1
  38. 38. Efficiency of security features Ratio of derived activities to permissions 116 120 100 89 80 59 60 47 46 40 24 23 11 7 6 0 19 16 20 1 4 3 3 1 3 3 1 2 Q. of derived activities 38 2 9 3 2 1 2 Q. of derived perm Dissecting Blackberry Z10 27 25 24 8 1 1 1 2 25 1
  39. 39. Efficiency of security features 250,00 250,00 250,00 200,00 150,00 12,50 3,37 3,45 100,00 16,67 16,67 60,00 8,70 14,29 5,08 66,67 66,67 9,09 88,89 66,67 66,67 50,00 50,00 5,56 19,05 5,88 14,29 6,25 16,67 4,26 11,76 25,00 5,26 25,00 0,00 % m+a activity vs perm 39 % m+a derived activity vs perm Dissecting Blackberry Z10 50,00 50,00 33,33 25,00 2,17 4,17 8,00 3,70 7,14
  40. 40. Agenda Blackberry OS review Shell Access The Approaches Firmware from the inside Playing with the browser Security on the application level Funny with APIs MDM capabilities Efficiency of security features Future research 40 Dissecting Blackberry Z10
  41. 41. Future research Image parser fuzzing Jailbreak IOCTL / syscalls further research Play more with SSH Blackberry Balance is not available yet Permission collision Overpemissioning by system applications and services Bypassing MDM features by both of previous 41 Dissecting Blackberry Z10
  42. 42. Full articles … are available here (no SMS to send is required! Free for a very limited time!) Blackberry Z10 research Blackberry and more 42 http://goo.gl/dP9iR http://goo.gl/PpXxg Dissecting Blackberry Z10

×