Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DEEPSEC: Windows Pwn 7 OEM – Owned Every Mobile?

Windows Pwn 7 OEM – Owned Every Mobile?

Alex Plaskett

Windows Phone 7 is new to the market and has thus not been as widely tested as Android and iOS alternatives. This talk seeks to give an overview of the platform and some security issues.

< Full slides from the Bluehat version of this presentation are available here >

< What follows are notes from the presentation incase they differ from the previously presented information >

Windows Phone OS 7

Same base OS across all OEM phones. However OEMs are permitted to make changes and give them the ability to customise the systems.

Windows Phone 7 is meant to be a closed platform. Changes to the underlying OS aren’t meant to be made by the user, and thus are undocumented.

  • Custom Windows CE 6/7
  • Arm v7 processor
  • 32bit platform

Application Model

  • No native code for 3rd party developers
  • Third party apps are C# Silverlight/XNA Framework .NET CLR
  • Applications require to be signed
  • No side loading
  • Marketplace validation

Security features

Chamber based security model

Dynamic Capabilities (LPC Chamber)

WPManifest.xml

  • ID_CAP_CAMERA
  • ID_CAP_INTEROPSERVICES
  • ID_CAP_….

Code Signing (LPC)

  • In ROM binaries implicitly trusted
  • Any further binaries require signing
  • Exception is developer unlocked devices
Policy files contain a hash of the signing certificate. If validates this grants the application LV_ACCESS_EXECUTE

Loader Verifier Module (LVMOD)

  • Kernel Based Module (TCB)
  • Authentication and Authorisation
  • Policy Framework
  • Code Signing
  • accountdb.vol
Controls all authentication and authorisation on the device.

Policy Framework

  • XML based
  • Module Policy XML Combined
  • Centralised policydb.vol database
  • TCB Protected

Exploit Mitigation

  • ASLR (Address Space Layout Randomization)
  • XN (Execute Never)

WP7 Exploit Development

Crash dumps don’t provide much information (128k of data). It’s also not easy to access the dump files as they’re stored in a location not accessible from within the sandbox. By abusing the ID_CAP_INTERSERVICES it’s possible to use OEM device drivers to access the underlying filesystem.
As WP7 implements ASLR and NX, a vulnerability is required to gain code execution inside the least privilege sandbox. A further exploit is needed to gain full permissions and access to the really interesting data.

Other platform OEM Vulnerabilities

By examining bugs in other platforms that were introduced by OEMs it can be seen the OEMs elevated privileges to phones has caused bugs in the past.

  • Android
    • HTC Browser INSTALL permissions
    • HTC Sound Recorder
    • HTC Logger
  • iPhone / Blackberry
    • N/A (no OEM)

Vulnerabilities

  • Device Fingerprinting
    • Simple User-Agent detection
    • HTC; HD7…..
    • UA-CPU: ARM
  • Browser Exploitation
    • Not patched currently (details will be released with patch)
  • Requires ASLR/XN bypass for arbitrary code
  • Stuck in LPC Chamber
  • OEM Introduced issue with ID_CAP_INTEROPSERVICES
    • Used to access drivers and services
    • Undocumented
    • Microsoft.Phone.InteropServices.dll
    • WPInteropManifest.xml
  • Device Driver Vulnerability
  • Samsung device driver that grants arbitrary read/write to kernel memory
    • Bypass TCB (Trusted Computing Base)
    • Patch system call handlers to point to attacker controlled code
  • Samsung PROVXML directory traversal vulnerability
    • Write to a directory you have write access to
    • Can’t create new processes
  • Samsung driver for creating new processes
    • OEM functionality
    • Fake certs
    • Fake signatures
    • Backdoor

Mango and Onwards

  • Patches some of these issues
  • Still allows OEMs to bypass the security model
Links :
  • Windows Pwn 7 OEM – Owned Every Mobile? –> Overview
  • Blue Hat v11 Technical – Windows Pwn 7 OEM Slides –> PDF
Advertisements

2 responses to “DEEPSEC: Windows Pwn 7 OEM – Owned Every Mobile?

  1. Pingback: First Press Coverage of DeepSec 2011 –

  2. Pingback: Pwn2Own 2012 Gets Serious About Security Vulnerabilities « NetSecurityIT

%d bloggers like this: