Picking blackberries

1 | Copyright © 2013, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Picking Blackberries
GRRCON 2014
THOMAS RICHARDS

About Me
• Thomas Richards
• Security Consultant @ Cigital, Inc
• @g13net - Twitter
• Web App, Mobile, Red Team
assessments
• Organizer for BsidesROC
• Presented previously at DerbyCON,
GrrCON, CarolinaCON, BsidesSF

ToC
• 0x1 Intro + History
• 0x2 BB10 Platform Security
• 0x3 BB10 Simulator
• 0x4 BB10 Apps
• 0x5 Misc

0x1 Intro

Blackberry
• What is Blackberry?
o Formally Research in Motion(RIM)
o Canadian
o Started with Pagers
• Introduced its first smartphone to receive
corporate email in April 2000
• Very popular with governments and
businesses
o Until about 2007

BBOS
• Original proprietary OS used on
Blackberry handsets
• Ran Java Apps
• If you owned a Blackberry before 2013
this is what you used
• Last version released is 7.1

BB10
• In an attempt to stay relevant and
compete against iOS and Android, BB
released BB10
• Radical departure from previous Oses
• Based on QNX
• What happened to BB8 and BB9?

QNX
• Commercial Unix-like real-time operating
system.
• Originally targeted at the embedded
systems market
• First version released in 1982

QNX Cont.
• Micro-kernel Based
• Real-Time Operating System
• POSIX compliant

QNX Architecture

Acquired by BB
• QNX was bought by BB in 2010
• The next day, access to the source code
was restricted
• The Blackberry Playbook was the first
BB device to run a QNX based OS
• Tablet OS

Playbook

Z10
• First BB10 based phone
• Released in 2013
• Did not include a hardware keyboard

Insert picture of Z10

Tablet OS Vs BB10
• Aside from UI changes
• Android Applications
o Wha????

Android on BB10
• Full Android Environment and runtime
• Originally Apps needed to be “wrapped”
• Newer versions support traditional APKs
• App Stores?
o Play Store was not there
o BB announced partnership with Amazon to
include Amazon Store in BB10.3

0x2 BB10 Platform Security

Landscape
• The Playbook was rooted early on, BB
was determined to prevent that on new
BB10 phones
• Introduced a number of hardware and
software security measures to keep the
devices secure and locked

Rooting Playbook
• Took advantage of unsigned backup files
• Modifies the backup and edits
Samba.conf
• Blackberry patched this.
• Dingleberry

System Protection
• To prevent exploits:
o ASLR is enabled
o Stack Canaries
o DEP

Hardware Protection
• Firmware images are signed
• Blackberry controls both the hardware
and software
• Keys to verify the firmware images are
embedded

Secure Boot

Application Sandboxing
• Done by filesystem permissions
• Enforced by authman
• Memory is also contained

Authman
• Authorization Manager
• Resource manager which handles
requests from processes
• Apps send requests through launcher
• Authman verifies the apps have
permission to access the service or
component they are requesting

Dual Persona
• Blackberry Balance
o Work and Personal “spaces”
o Enforced by filesystem permissions and
authman
oWork apps are separate from personal ones

Balance Boundries
• When I had access to BB10 in an
enterprise environment….
• The Workspace was able to access files
and information in the personal space
o Email information, clipboard
o These files were world-readable

0x3 BB10 Simulator

Developing for BB10
• BB offers a simulator to test apps without
needing a BB10 device
• Vmware image
• x86 
o Actual BB10 devices are ARM

No Registration Required!

Simulator

Couple of Caveats
• Applications compiled for the Sim need
to be recompiled for a device
o Symbols get stripped when compiled for a
device
• No root access*
• No Blackberry World access*

Rooting the Simulator
• Wanted to start digging around at the
internals of the system.
• Already had shell access
• How to get root?

Editing the FS
• Needed to mount vmware disk image in
another VM in order to modify the disk
• Linux only has read support for the
QNX6 FS(what is one the BB10)
• Solution?

QNX Neutrino VMWare Image

QNX Neutrino Vmware Image
• No registration needed
• QNX environment which supports QNX6!
• Profit!

How to root
• Add BB10 sim disk to QNX SDP VM
• Boot
• Mount the disk
• Edit /etc/shadow to include a root entry
o I copied the devuser entry from the QNX
image so I knew the password
• Woot.

Shadow file

Blackberry World Access
• On Beta releases of the Sim, BBWorld
access was restricted
• Two things were needed:
o Blackberry ID
o Valid Hardware ID
• Found a way to spoof it and gain
BBWorld access

However…
• It appears BB has made my efforts futile
• BBWorld works on version 10.0.09-2372
of the simulator
• Without changes ?

Next Steps
• Explore file system
• See Zach Lanier and Ben Nell’s talk from
CanSecWest

0x4 BB10 Apps

Write apps in…
• Native
o C/C++
• HTML5
• Adobe AIR
• Android!

BB10 App Packaging
• BAR files
• Similar to APKs, basically signed ZIP
archives
• Will contain two directories, META-INF
and native(or android)

Exploded BAR

META-INF
• Contains MANIFEST.MF
• Package Information
• Checksums
• Etc.

Native/
• Bardescriptor.xml
• Application binary and assets

Exploring BBWorld
• With World access on the rooted
simulator
• We can start to explore and pick apart
apps on the market

Casual Observations
• Want to do mobile banking?
• Only two US banks are:
oWells Fargo
o BoA
• Lots of European and Canadian Banks!

Oh and…
• Of course Bitcoin

Details, Details

Reviews

Sachesi
• Open source tool to extract, search,
(un)install BB firmware and applications
• Also can backup, restore, wipe, and
nuke a device
• New version has access to browse BB
World

AppWorld

Firmware

Installing Apps

Repacking Apps
• As stated before, each BAR file will
contain META-INF/ and native/(or
android/) directories.
• When an app is installed on a device, the
BAR file gets removed.
• What is left behind…..

Yay….
• The public/ dir isn’t needed
• With root access to the simulator
• With BB World running on the simulator
• …
• We can extract apps from the simulator
for repacking(malicious or piracy)

Quick Note
• Pretty sure third party BB app stores
aren’t a thing.
• This is purely academic

How to Repack A BB App
• Sign up and get a BB Developer Cert
o Free!
o Incredibly long process…not detailing here
• Download app from World in simulator
• Extract installed directory
• Add META-INF/ and native/ to new .BAR
file(just a ZIP)
• Sign .BAR with your cert
• Profit!

Creating the Bar

Signing the Bar

Sachesi again
• Debug token is not needed to install
BARs onto a BB
• They can be sideloaded with Sachesi

Installed BAR

App on Device

Proxy Settings
• So you want to fiddle with an app that is
running on the device
• BB10 contains settings to enable a proxy
and install root CA certificates(like
Burp’s)

Proxy Settings

How to Import a Cert

Traffic in Burp

0x5 Misc

Device DoS
• There are lots of QNX documents
available online
• Browsing around, /dev/shmem took
interest

/dev/shmem

Exploit
• /dev/shmem is the entire RAM
• Using DD you can just fill the entire RAM
• dd if=/dev/zero of=/dev/shmem/dos
bs=1-24 count=1000000000
• Device will require a reboot

Reporting
• Told BB about it, this was their response:
• While it would be ideal to have the
system be more stable under intentional
resource exhaustion by non-privileged
apps, that's an area for future design
changes and not a vulnerability we would
release a security update for.
• TL;DR – We’ll look into it later

The Clipboard
• World readable and writeable directory
• Apps can write files outside of their
sandbox
• Any app can read the clipboard file
without using APIs(like in Android and
iOS)

Insert Picture of balls created

Code for scraping clipboard
//open file as binary
char content[250];
FILE *fp =
fopen("/accounts/1000/clipboard/text.plain"
, "r");
int rc = fscanf(fp, "%s", &content);

Blackberry-connect
• Shell access to a device is very limited.
• Only SSH
• Must use blackberry-connect to push
public key
• Must auth with private key
• devuser

Interesting bits

Picking blackberries

Recommended

Recommended

More Related Content

Similar to Picking blackberries

Similar to Picking blackberries (20)

Recently uploaded

Recently uploaded (20)

Picking blackberries

Editor's Notes