Show different attack surfaces a phone can have • Commonalities with mobile, Linux, ARM, etc • Good intro to mobile phones / embedded devices / Linux hacking in general
property • Mer == open-‐source MeeGo fork • Combine open-‐source: Mer + Wayland + QT5/QML • And proprietary: Silica (compliment to QtQuick), Lipstick (shell on top of Wayland) • Change .deb -‐> openSuSE RPM, apt -‐> zypper, upstart -‐> systemd • We get Sailfish OS!
Half • Ambiance / theme based on cover • Keyboard, other peripherals, etc • Uses NFC and I2C to communicate with device • Check out our EkoParty 2014 presentation for research performed by Chris Weedon 5
N D R O I D ! 0 H ] \0 \0 200 200 0000020 257 022 6 \0 \0 \0 202 \0 \0 \0 \0 \0 \0 020 201 0000040 \0 001 200 \0 \b \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000060 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000100 i n i t = / s b i n / p r e i n 0000120 i t r o o t = / d e v / m m c 0000140 b l k 0 p 2 8 r o o t f s t y 0000160 p e = b t r f s r o o t f l a 0000200 g s = r e c o v e r y n o i n 0000220 i t r d a n d r o i d b o o t 0000240 . h a r d w a r e = q c o m u 0000260 s e r _ d e b u g = 3 1 e h c 0000300 i - h c d . p a r k = 3 m a x 0000320 c p u s = 2 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000340 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
+ power at boot (no usb) • telnet based connection • menu system of shell scripts • Access fastboot with vol down + power at boot (w usb) • needs identifier 0x2931 (fastboot -i 0x2931) • not all args supported, locked by default
set in userland via system settings • Discovered restore-lock binary in recovery ramdisk • mmcblk0p27 (security partition) • header shows lock/unlock status • possible hash? • partition 6 changes based on lock status • partiton 2 had interesting string as well
and developer mode! • not an ideal security model • at least some protection • Interesting mix of different software may expose additional issues later on
value earlier. Sounds like SHA-1. • We saw the restore-lock binary which performs the actions we’re interested in. • Why don’t we look at how it checks the PIN code… 29
Something from mmcblk0p2 • A static string • Another value from mmcblk0p2 • A static string • Calling into OpenSSL for EVP_SHA1 and HMAC functions • The concatenated string is the key for HMAC-SHA1 32
the function prototype… unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, int n, unsigned char *md, unsigned int *md_len);
convention, that second argument should be in register R1 • Sure enough… 37 Breakpoint 1, 0x400dec14 in HMAC () from /lib/libcrypto.so.10 (gdb) x/s $r1 0xbefff734: "359745050083150010101011115A05AF0161101101000111"
parts are static, we’ll figure out more in a bit • Having hash and HMAC key, how to recover plaintext pin? • hashcat does a great job at HMAC-‐SHA1… 39
systems often have bugs from the 90s • Linux / userland bugs will affect this environment too • Focus: map out Sailfish/Jolla/Meego-‐specific attack surface 40
• A lot of test binaries and applications left intact • Not sure if this is a result of enabling developer mode or if this is stock • Ex: qseecomd_security_test, oemwvtest, StoreKeybox • Attack surface is potentially huge, but gets small quickly. • Virtually no listening services other than DHCP, so remote attack surface is small from a network perspective. • Leaves plenty of room for vulnerable applications
RELRO, PIE, NX, etc? • Nope… not here, Well, some of it is (see next page) • As of now, the system relies heavily on *nix USER/FS permissions • Which isn’t bad… it’s just not great • There are plans to implement these things in the future though… 42
written in C/C++ • Although there are lots of shell scripts on the device • Mix of ELF32 Arm7vh binaries and QML “applications”, I’m using application here very loosely • Often, the binaries have QT API calls embedded in them that leverage the QML “applications”. • Picture the binary as the service, and the QML as the GUI • What is QML? • QT Meta Language or QT Modeling Language • It’s like Javascript, Openscad, Python, and Latex all rolled into one • Used to describe what something will look like, and the action that thing will perform
• And there are traditional some suids/sgids $ find / -type f -perm -u+s 2>/dev/null • Interesting: owned by root or gid == privileged • Not common to other Linux distros (Sailfish/Mer/Maemo binaries?)
Research ongoing ☺ • /usr/bin/csd [suid root/gid disk] – Diagnostic utility (can also be triggered via *#*#310#*#* on dialer). Neat by itself. • /usr/libexec/mapplauncherd/booster-‐silica-‐qt5 [suid root] – Used to support Silica extensions, uses maplauncherd • /usr/bin/devel-‐su [suid root] – Custom SU. Written in C! No stack canaries or PIE
or install via pkcon • Memory corruption would be nice • Fuzz input • Fuzz environmental variables • Get more intelligent ☺ • But it’s also very dangerous for suids to shell out • We should look for system() and popen(), right?
for vulns across mobile platforms • grep’ing /init* for chown and chmod are good staring points • Can we get it to chmod, chown or do something else to a file in a location we can write to? • Can we symlink? Or: hardlink. Sailfish didn’t follow symlinks but does follow hardlinks, not sure why… 62
use it on: nothing suid loaded env vars, dhclient not in use • Maybe missed opportunity with some binaries that run from invoker. Or CSD. • Patched in latest hotfix
i <= 150; i++)); do ./trigger_sock_diag $i; done Sending with family 39 Sending with family 40 Sending with family 41 Sending with family 42 Sending with family 43 Sending with family 44 Sending with family 45 Sending with family 46 …..
always well configured • For example, "nemo" user is in group "system", which has write access to procfs endpoints you wouldn't expected, i.e... --w--w---- 1 root system 0 2015-06-13 22:24 /proc/sysrq-trigger 68
OS / mobile attack surface • iOS uses URL handlers, Android uses Intents/Binder/ ASHMEM -‐ all have led to vulnerabilities in the past • What does Sailfish OS use? 69
to other Linux environments • …but everything runs as “nemo” • dbus-‐monitor provided, acts as sniffer • Regular user discovered Outlook passwords • Interesting area to explore further
“nmap for dbus” -‐ https://github.com/taviso/dbusmap • Enumerates methods and properties exposed by D-‐Bus services • Amongst standard D-‐Bus services, several belonged to Jolla / Meego / Nokia 72
not just suid binaries can execute as root. • All same vulns apply. Look for low-‐hanging fruit (command execution, etc), memory corruption, etc • Did some manual fuzzing (no results), looking into dbus fuzzers (suggestions?) • Methods / properties can be interacted w/ using dbus-send 73
attacked? • What binaries / utilities / whatever does the vendor provide that users interact with and you have a chance to affect? • Exposed services, anything that reads files (word processing, etc) 75
to Jolla to ask them what the lifecycle was like. • They seemed unsure of what we were asking… still waiting for response(update with current info before conf)
on any other Linux system • Setup proxies for HTTP/HTTPS connections(we all know how to do that) • Create your own IPTables rules and scripts to forward anything wherever you want • Get Dynamic: Fashion Scripts, to load rules when certain applications run
• General traffic: long-‐hold WiFi SSID, click Edit • Cert pinning (or client-‐side certs?) -‐ Store, Updates • Weirdness: if you check for updates, the actual updates are NOT cert pinned (snagged the RPMs this way) • As an aside: it sends your Jolla creds with a hashed password • Installing CA cert (like Burp’s) is easy. Look online. • put in /etc/pki/tls/certs/ • run multi_c_rehash
application: • Evaluate File Permissions • Use Old Friends like: • GDB • LDD • Strace • Strings • Etc… • Then find the location of the applications QML files and it’s code review time
invoker was primarily designed to boost app startup times and save device memory • Also invoker handles Group and User Privs, such as access to the credentials store or contacts DB • What is Invoker really? • Turns out invoker is basically just a wrapper to ‘mapplauncherd’ • The invoker binary takes the app name and a default set of options in the invoker binary and passes them to mapplauncherd
ports, exposed I2C and SPI, etc • More and more tools (hardware and software) to explore this surface (JTAG tools, logic analyzers with intuitive software, etc) • Can be used to bypass software restrictions 83
to download • NFC radio only active when switched pressed • Sticker is standard MiFARE Ultralight • Handled by tohd daemon • NFC stack in N9 fuzzed by Charlie Miller, no results. Different in Sailfish?
TOH Developer Kit: • Realize that is useless for I2C stuff • Develop your own methodology • Where my I2C fuzzers at google? • Seems like no one has ever bothered to fuzz I2C • Start by writing the dumbest I2C fuzzer ever • Materials: • Bus Pirate (Wanted to implement on an FPGA but my VHDL/Verilog is garbage) • Logic Analyzer • Jolla in Developer Mode • GDB • Python(pyBusPirate)
Jolla hacker. Read our EkoParty deck for his hardware research! • CircleCityCon crew for having us! • All of you that came to hear about an obscure Finnish phone :) 87
utkanos
ks91
nttcom
fufufukakaka
masakat0
hopin
.png){kind=avatar}
satai
tajima_kaho
tomohirokoana
mickey_kubo
kikuzo
ozekinote
cassininazir
baasie
inesmontani
philnash
tammyeverts
garrettdimon
eileencodes
stephenakadiri
aleyda
greggifford
![Topology • ‘mount’ and /proc/partitions • /dev/block/platform/[soc]/by-name • ramdisk contents](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_8.jpg){kind=link}
![mmcblk0p6 (after bootloader unlock) [root@Jolla nemo]# od -c p6_postblunlock.img 0000000](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_24.jpg){kind=link}
![34 [root@Jolla nemo]# ./restore-lock --check-code 1233 [root@Jolla nemo]# echo $?](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_33.jpg){kind=link}
![A few interesting binaries… • /usr/bin/simkit [sgid privileged] – New-‐er.](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_49.jpg){kind=link}
![Oh wait, C++ and QT [nemo@Jolla ~]$ ls -‐al /usr/bin/csd](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_51.jpg){kind=link}
![Looked promising… $ env PATH=.:$PATH /usr/bin/csd [D] QWaylandEglIntegration::QWaylandEglIntegration:58 - Using](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_55.jpg){kind=link}
![One fun example (fixed in next release) 63 [nemo@Jolla vuln]$](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_62.jpg){kind=link}
![Another oddity (already fixed!) 64 [nemo@Jolla tmp]$ ln -s /etc/anyfile](https://files.speakerdeck.com/presentations/252fc9bbf0e54bc0bb2cda3a230cd74e/slide_63.jpg){kind=link}
