DEEPSEC: Windows Pwn 7 OEM – Owned Every Mobile?
November 17, 2011
Posted by on
Windows Pwn 7 OEM – Owned Every Mobile?
Windows Phone 7 is new to the market and has thus not been as widely tested as Android and iOS alternatives. This talk seeks to give an overview of the platform and some security issues.
< Full slides from the Bluehat version of this presentation are available here >
< What follows are notes from the presentation incase they differ from the previously presented information >
Windows Phone OS 7
Same base OS across all OEM phones. However OEMs are permitted to make changes and give them the ability to customise the systems.
Windows Phone 7 is meant to be a closed platform. Changes to the underlying OS aren’t meant to be made by the user, and thus are undocumented.
- Custom Windows CE 6/7
- Arm v7 processor
- 32bit platform
- No native code for 3rd party developers
- Third party apps are C# Silverlight/XNA Framework .NET CLR
- Applications require to be signed
- No side loading
- Marketplace validation
Chamber based security model
Dynamic Capabilities (LPC Chamber)
Code Signing (LPC)
- In ROM binaries implicitly trusted
- Any further binaries require signing
- Exception is developer unlocked devices
Policy files contain a hash of the signing certificate. If validates this grants the application LV_ACCESS_EXECUTE
Loader Verifier Module (LVMOD)
- Kernel Based Module (TCB)
- Authentication and Authorisation
- Policy Framework
- Code Signing
Controls all authentication and authorisation on the device.
- XML based
- Module Policy XML Combined
- Centralised policydb.vol database
- TCB Protected
- ASLR (Address Space Layout Randomization)
- XN (Execute Never)
WP7 Exploit Development
Crash dumps don’t provide much information (128k of data). It’s also not easy to access the dump files as they’re stored in a location not accessible from within the sandbox. By abusing the ID_CAP_INTERSERVICES it’s possible to use OEM device drivers to access the underlying filesystem.
As WP7 implements ASLR and NX, a vulnerability is required to gain code execution inside the least privilege sandbox. A further exploit is needed to gain full permissions and access to the really interesting data.
Other platform OEM Vulnerabilities
By examining bugs in other platforms that were introduced by OEMs it can be seen the OEMs elevated privileges to phones has caused bugs in the past.
- HTC Browser INSTALL permissions
- HTC Sound Recorder
- HTC Logger
- iPhone / Blackberry
- Device Fingerprinting
- Simple User-Agent detection
- HTC; HD7…..
- UA-CPU: ARM
- Browser Exploitation
- Not patched currently (details will be released with patch)
- Requires ASLR/XN bypass for arbitrary code
- Stuck in LPC Chamber
- OEM Introduced issue with ID_CAP_INTEROPSERVICES
- Used to access drivers and services
- Device Driver Vulnerability
- Samsung device driver that grants arbitrary read/write to kernel memory
- Bypass TCB (Trusted Computing Base)
- Patch system call handlers to point to attacker controlled code
- Samsung PROVXML directory traversal vulnerability
- Write to a directory you have write access to
- Can’t create new processes
- Samsung driver for creating new processes
- OEM functionality
- Fake certs
- Fake signatures
Mango and Onwards
- Patches some of these issues
- Still allows OEMs to bypass the security model
- Windows Pwn 7 OEM – Owned Every Mobile? –> Overview
- Blue Hat v11 Technical – Windows Pwn 7 OEM Slides –> PDF