Jos Wetzels Ali Abbasi Infiltrate Miami 2018 Who are we Jos Wetzels Ali Abbasi Independent Security Researcher Midnight Blue Previously Security Researcher UTwente This work part of MSc thesis ID: 1045410
Download Presentation The PPT/PDF document "Dissecting QNX Analyzing & Breaking ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Dissecting QNXAnalyzing & Breaking Exploit Mitigations and PRNGs on QNX 6 and 7Jos Wetzels, Ali AbbasiInfiltrate, Miami, 2018
2. Who are we?Jos WetzelsAli AbbasiIndependent Security Researcher @ Midnight Blue(Previously) Security Researcher @ UTwenteThis work part of MSc thesis @ TU/e@s4mvartakahttp://www.midnightbluelabs.comhttp://samvartaka.github.ioPh.D. Candidate @ TU/eVisiting Researcher @ RUBICS / Embedded Binary Security@bl4ckic3
3. ROADMAPIntroduction to QNXOS & Security Architecture OutlineQNX PRNGsQNX Exploit MitigationsFinal Remarks3
4. IntroductionUNIX-Like, POSIX embedded RTOS. Initial release 1982, acquired by BlackBerryClosed-source, proprietaryQNX 6.6 (March 2014): 32-bitQNX 7 (March 2017): 64-bitMobileBlackBerry 10BlackBerry TabletOnly tip of iceberg…4
5. Automotive: IVI & TCU5
6. Automotive: BlackBerry RadarFleet monitoring solutionTrailersFlatbedsVansHeavy equipment…Provides asset tracking & telematicsCargo integrity & Anti-theftPreventive maintenanceOperational efficiency…6
7. Automotive: Autonomous Vehicles7
8. Industrial: Nuclear HMI8
9. Defense: Military Radios9
10. Medical: Surgical Robots10
11. Carrier Routers: Cisco IOS-XREg. CRS, 12000, ASR9000* IOS-XR, Partnering with Elastic: an overview – Jose Palafox et al., 201611
12. BlackBerry QNX HypervisorSafety-Certified Type 1 hypervisor based on QNX Neutrino MicrokernelHypervisor 1.0 (2015) based on 32-bit QNX SDP 6.xHypervisor 2.0 (2017) based on 64-bit QNX SDP 7.0Hardware virtualization support (VT-x, ARMv8 virtualization)VirtIO guest communication12
13. Many more critical systemsIndustrial Control SystemsCaterpillar Surface Mining ControlGE Mark VI Turbine ControllerNovar HVACFortna Warehouse ControlEmerson Ovation DCSDefense & AerospaceUAVsAnti-Tank GuidanceAutonomous Underwater VehiclesAerospace System-on-Modules (SoMs)Satellite SystemsRail Safety (MEN MTCS)MPRI Cancer TherapyEtc.13
14. What’s New?‘Wheel of Fortune’ @ 33C3PRNG issues in VxWorks, RedactedOS, QNX <= 6.6This talkNew QNX 7 userspace & kernelspace PRNGsExploit Mitigations in QNX 6 & 714
15. OS & Security Architecture
16. QNX Microkernel Architecture16
17. QNX IPC Message Passing17
18. QNX Attack Surface18
19. QNX Security HistoryBlackBerry Mobile Research (2011 - 2014)Alexander Antukh, Ralf-Philipp Weinmann, Daniel Martin Gomez, Zach Lanier et al.QNX IPC, PPS, Kernel Calls (2016)Alex Plaskett et al.Various individual vulnerabilities (2000 – 2008)Anakata, Julio Cesar Fort, Tim BrownObservationsLots of setuid logic bugs (ifwatchd, pppoectl)Lots of memory corruption (std utils, Photon GUI, PPPoEd)Lots of insecure permissions (ptrace, Photon, /etc/ configs)No prior work on Exploit Mitigations or PRNGsAlmost no prior work on internals* QNX: 99 Problems but a Microkernel ain’t one! - Alex Plaskett et al., 201619
20. QNX Boot ProcessInitial Program Loader (IPL) copies Image Filesystem (IFS) to RAMStartup (startup-*) program configures system (interrupt controllers, etc.)Microkernel (procnto) sets up kernel, runs buildfile (boot script for drivers and OS components)20
21. QNX FirmwareVarious QNX OS packages (Car, Safety, Medical)Same Neutrino microkernel and core service binariesQNX images come in three flavorsOS image (IFS)Flash filesystem image (EFS)Embedded transaction filesystem image (ETFS)21
22. QNX FirmwareIFS + EFS + ETFS can be combined into single image on eg. NAND Flash22
23. QNX FirmwareDump IFS & EFS using standard QNX utilitiesdumpifs, dumpefs23
24. QNX Memory LayoutKernelspace – Userspace SeparationOnly microkernel runs in kernelspaceUserspace separation of sensitive (OS, driver, etc.) code from regular applicationsVirtual Private Memory via MMUUnix-like process access controls24
25. QNX User ManagementTypical Unix user & file permissions modelQNX 6 hashesSHA256, SHA512 (default)But also: MD5, DES crypt, qnx_crypt (legacy QNX 4, invertible…)Cracked root / maintenance pwcan have high shelf-life on embedded…QNX 7 or patched 6.6 hashesPBKDF2-SHA256/SHA51225
26. QNX Process ManagementProcess Manager is combined with microkernel in procnto executableRuns as root with PID 1No special microkernel interface but has _NTO_PF_RING0 flag to call _ring0 syscallSupport for usual POSIX stuff, uses ELF format26
27. QNX Process Abilitiesprocmgr_ability similar to Linux capabilitiesObtain capabilities before dropping rootRestrict actions for even root processesIntegral to QNX ‘rootless execution’ securityPrinciple of least privilegeAbilities have domain (root/non-root), range (restrict values), inheritable, locked, etc.Eg. PROCMGR_AID_SPAWN_SETUID with range [800, 899]Can specify custom abilities27
28. QNX Process Abilities LimitationsIt’s not a true sandbox!Lots of rope to hang yourself withSome functionality uncovered by capabilities (fs, network, etc.)Some capabilities don’t have rangesWatch out with inheritability (inheritable itself): fork() ignores this, spawn() honors thisVarious capabilities can be used to elevate privileges to rootSome directly: PROCMGR_AID_SPAWN_SETUIDSome indirectly: PROCMGR_AID_INTERRUPT28
29. QNX 7 SandboxingExplicit Sandboxing support as of QNX 7Handling implemented in procnto (procmgr_sandbox, procmgr_sandbox_check_path, …)Creation / Deletion requires _PROCMGR_AID_SANDBOX abilityChildren inherit parent sandboxes, only 1 sandbox per process at a timeSeems to support only path restrictions29
30. QNX 7 Anomaly Detector (QAD)Training phase + Monitoring phaseSyscall components (sender + receiver IDs) hashed into normal profile, supplied with firmwareConfig files specifies monitoring targets by path, monitor upon service startQAD places info in PPS objectsStatus: overall QAD statusPID: monitored object status (#anomalies, profile info)(Some) initial observationsWe only have anomaly counts, no granular infoHow do we determine when to act, FP/FN ratio, etc.?Who monitors QAD output? How to take action?30
31. QNX Anomaly Detector (QAD)Exploit D-Bus service on Uconnect OMAP chipos.execute() command injection in LUA → maybe, if we invoked a monitored binary…Patch V850/FJ3 to send arbitrary CAN messagesmodify /fs/mmc0/app/bin/hd to get V850 into update mode → maybe, if hd was monitoredinvoke iocupdate utility → probably not, not used ‘anomalously’31
32. Qnet (Native Networking / TDP)32
33. Qnet SecurityUseful for eg.Inter-module communication in ICSSharing cellular modem or Bluetooth transceiver among ECUs in automotiveLarge routers with multiple interface cards (LWM IPC in Cisco IOS-XR)Distributed device sharing across guest OSes in QNX Hypervisor/net directory populated by discovered or mapped Qnet nodes33
34. Qnet SecurityMeant to be used among ‘trusted nodes’No authentication, simply passes User ID as part of Qnet packet to remote machineExecute commands remotely over QnetCompromise single QNX machine or underlying network linkaccess to all Qnet nodes at UID levelNo Qnet packet integrity / authentication …Forge UIDsmapany / maproot options to map incoming UID to low-priv UID (similar to NFS)34
35. Qnet EoP Vulnerability (CVE-2017-3891)Read permissions of operations over Qnet are not properly resolved by resource managerAllows for arbitrary remote read accessCan also be used for local arbitrary read access by making read requests originate from remote Qnet nodeBypasses mapany / maprootPatch available butQnet security is fundamentallybroken …35
36. QNX DebuggingQNX Momentics IDE integrates GDB debugger capabilitiespdebug Process-level debugging over serial or TCP/IPqconn (remote IDE)Starts pdebug, default port 8000No authenticationUpload / download files, run anything as rootThere’s a metasploit module for thisCouldn’t find any quick shodan / censys results36
37. QNX DebuggingdumperService that produces post-crash core dump (default in /var/dumps)Directly dump running process with dumper –p <pid>Nice for integration into fuzzersKDEBUG (gdb_kdebug)Kernel debugger over serialNeeds to be included with IFS (not by default, may need to be built from source)Needs debuggable procnto37
38. QNX Shellcoding: Library FunctionsTrivial approach: just re-use library functions, speaks for itself38
39. QNX Shellcoding: Self-ResolvingNo equivalent to Windows PEB/TEB/SEH approachCould walk stackframe chain up until __init_libc and then fiddle with offsets but requires framepointer compliance for easy unwindingViolated in most binaries already by _startNot worth it39
40. QNX Shellcoding: SyscallsQNX supports minimal set of ‘native’ syscallsThreads, message passing, signals, clocks, interrupt handlers, etc.QNX < 90 vs Linux > 300 syscallsPrototypes in /usr/include/sys/neutrino.hOther POSIX syscalls implemented in libc as message passing stubs to responsible userspace process40
41. QNX Shellcoding: SyscallsNative syscalls invoked with usual instructionsSYSENTER / INT 0x28 / SWI / SC / etc.Syscall # in EAX (x86), R12 (ARM), R0 (PPC)Listing in /usr/include/sys/kercalls.hSyscall entrypoint in __ker_entry / __ker_sysenterSave registersSwitch to kernel stackGet active kernel threadWait until we are on right CPUAcquire kernelSyscall # is index into ker_call_table41
42. QNX Shellcoding: SyscallsIf you want to do anything non-trivial, gotta do it by message-passing…Consider: simple execl/execve shellcodeexecl/execve (@libc) → spawn (@libc) -> MsgSendvcCraft message structure in memoryproc_spawn_tCraft Input/Output Vector (IOV) in memoryiov_tIssue message using native syscallEg. eax = 0x0C → int 0x28Shellcode rapidly grows bulky42
43. Pseudo-Random Number Generators (PRNGs)
44. QNX Security-Oriented PRNGsUserspace PRNGAccessed through /dev/randomHandled by userspace service random running as rootStarted after boot via /etc/rc.d/startup.shKernelspace PRNG (QNX 7)Implemented in procnto as function named random_valueCannot be accessed directly in userspace44
45. QNX 6 /dev/randomCovered this in our talk ‘Wheel of Fortune’ at 33C3, brief recapUnderlying PRNG based on old version of Yarrow (Schneier et al.)Low boot-time entropyAvg. min-entropy: 0.0276Broken reseed controlEntropy source selection up tosystem integrators…45
46. QNX 7 /dev/randomRedesigned after our assessment of QNX 6 /dev/randomIncorporates some of our feedbackUses Heimdal Fortuna implementationNew entropy sourcesNew reseed control mechanismOverall quality seems much better than QNX 6Potential for weaknesses depending on system integration conditions46
47. QNX 7 /dev/random47
48. QNX 7 Kernel PRNGQNX 7 introduced new kernel PRNG after our assessmentUsed for ASLR, Stack Canaries, etc.random_seed set via SysSrandom syscall (requires PROCMGR_AID_SRANDOM)48
49. Exploit Mitigations
50. QNX Exploit Mitigations(Public) Examples of QNX Usage w/ MitigationsBlackBerry 10 OSBlackBerry Tablet OSNo support for:Vtable Protection (eg. VTGuard, VTV)CPI / CFI (eg. CFG)Kernel Data / Code Isolation (eg. SMAP/PAN, SMEP/PXN)…MitigationSupport SinceEnabled by Default?Data Execution Prevention (DEP)6.3.2✘Address Space Layout Randomization (ASLR)6.5✘Stack Canaries6.5✘Relocation Read-Only (RELRO)6.5✘50
51. QNX DEPHardware-based DEP support (eg. NX/XN bit)Insecure DefaultsStack always left executableGNU_STACK ELF program header ignoredNeed to specify “-m~x” in procnto startup flags to make stack non-execProblem: this is system-wide setting, no opt-outIssue still present on QNX 6 & 7ArchitectureSupportx86/x64✔ARMv6+✔MIPS✘PPC~51
52. QNX ASLREnabled by starting procnto with “-mr” flagChild processes inherit parent ASLR settingsCan be enabled/disabled on per-process basisRandomizes objects at base-address levelRandomizes all memory objects except KASLRPIE disabled by default in toolchain, no system binaries have PIEMemory ObjectRandomizedUserspaceStack✔Heap✔Executable Image✔Shared Objects✔mmap()✔KernelspaceStack✔Heap✔Kernel Image✘mmap()✔52
53. QNX ASLR53
54. QNX ASLR – map_find_va(Among other things) randomizes virtual addresses returned by mmapSubtracts or adds a random value from/to found VATakes lower 32 bits of RNG resultBitwise left-shifted by 12Lower 24 bits extractedContributes at most 12 bits of entropy (worse in practice)54
55. QNX ASLR – stack_randomizeRandomizes stack start addressSubtracts random value from original SPTakes lower 32 bits of RNG resultBitwise left-shifted by 4At most lower 11 bits extractedContributes at most 7 bits of entropy(also worse in practice)But: is combined with result of map_find_va55
56. QNX 6 ASLR – Weak RNGUpper bounds are actually optimisticQNX 6 ASLR uses weak RNG (CVE-2017-3893)ClockCycles()64-bit free-running cycle counterImplementation is architecture-specificArchitectureClockCyclesImplementationx86RDTSCARMEmulationMIPSCounter RegisterPPCTime Base FacilitySuperHTMU56
57. QNX 6 ASLR – Weak RNGEvaluated actual entropyMeasured processes across boot sessions, harvested memory object addressesUsed NIST SP800-90B Entropy Source Testing (EST) tool to obtain min-entropy estimates256 bits of uniformly random data = 256 bits of min entropyAverage min-entropy: 4.47 bitsVery weak, compare to Mainline Linux ASLRPaX ASLR* 32-bit system, ASLR-NG – Ismael Ripoll-Ripoll et al., 201657
58. QNX 6 ASLR – Bruteforcing58
59. QNX 6 ASLR – Bruteforcing59
60. QNX 6 ASLR – procfs Infoleak (CVE-2017-3892)60
61. QNX 6 ASLR – procfs Infoleak (CVE-2017-3892)61
62. QNX 6 ASLR – LD_DEBUG Infoleak (CVE-2017-9369)62
63. QNX 7 ASLR – ChangesASLR still disabled by default, no KASLRBut uses kernel PRNG now (random_value) discussed earlierDespite new RNG and 64-bit address space, low theoretical upper bounds remain7 bits for stack_randomize12 bits for vm_region_createAlways loaded in lower 32-bits of address space63
64. QNX 7 ASLR – ChangesLD_DEBUG (CVE-2017-9369)Fixed!procfs (CVE-2017-3892)Not completely Fixed…64
65. QNX Stack CanariesQNX uses GCC’s Stack Smashing Protector (SSP)Compiler-side is what we’re used to and is okOS-side implementations are customUserspace master canary generated at program startup when libc is loadedDoesn’t use libssp’s __guard_setup but custom __init_cookies65
66. QNX 6 SSP – Weak RNGDraws entropy from 3 sourcesTwo of which only relevant if ASLR enabledAll based on ClockCycles66
67. QNX 6 SSP – Weak RNGEvaluated canary min-entropy over 3 configsNo ASLRASLR but no PIEASLR + PIEAverage min-entropy: 7.79 bitsASLR had no noticeable influenceLess than ideal…Using CSPRNG should have 24 bits of min-entropy…We have 32-bit canary with 1 terminator-style NULL-byte67
68. QNX 6 SSP – KernelspaceProblems even worseMicrokernel neither loaded nor linked against libcMaster canary generation cannot be done by __init_cookiesBUT: QNX forgot to implement replacement master canary generation routineSo kernelspace canaries are used, but never actually generated…Always 0x0000000068
69. QNX 7 SSP – ChangesEnabled by default! Generates 64-bit canariesFor userspace QNX mixes in AUXV(AT_RANDOM) value with _init_cookies stuffBased on our best-practice suggestions to BlackBerryELF auxiliary vector transfers kernel info to user process upon startupAT_RANDOM (0x2B) is 64-bit value from kernel PRNGFor kernelspace QNX concats two 32-bit kernel PRNG values during early boot69
70. Relocation Read-Only (RELRO)Dynamically linked binaries use relocation to do runtime lookup of symbols in shared libraries..got: holds offsets.plt: holds code stubs that look up addresses in .got.plt.got.plt: holds target addresses after relocationRelocation data is popular target for overwriting to hijack control-flowPartial RELROReorder ELF sections so internal data (.got, .dtors, …) precedes program data (.data, .bss)Relocation data is made read-only (covered by GNU_RELRO segment) after relocation, PLT GOT still writableFull RELROLazy binding disabled with BIND_NOW flagPLT GOT is then also read-only70
71. QNX 6 Broken RELRO (CVE-2017-3893)Debian: GNU_RELRO: [0x08049ED8, 0x8049FFF] (includes .got)71
72. QNX 6 Broken RELRO (CVE-2017-3893)QNX 6: GNU_RELRO: [0x08049F2C, 0x8049FFF] (doesnt include .got because of linker section reordering flaw)72
73. QNX 6 RELROAlso found a local bypassLD_DEBUG=imposter allows us to disable RELRO without privilege checksNice for exploiting setuid binariesBoth issues are fixed with patches for QNX 6.6 and in QNX 7 73
74. Final Remarks
75. PatchesDisclosed all issues to BlackBerryMost issues fixed in 7.0, patches for 6.6 available for some issues *Will take (lots of) time before patches filter down to OEMs & end-users…* http:// support.blackberry.com/kb/articleDetail?articleNumber=000046674, http://www.qnx.com/download/group.html?programid=26071ComponentIssueAffectedDEPInsecure Defaults<= 7.0ASLRWeak RNG (CVE-2017-3893)<= 6.6 **ASLRprocfs infoleak (CVE-2017-3892)<= 7.0ASLRLD_DEBUG infoleak (CVE-2017-9369)<= 7.0SSPWeak RNG<= 6.6SSPNo kernel canaries<= 6.6RELROBroken implementation (CVE-2017-3893)<= 6.6RELROLD_DEBUG bypass<= 6.6RNGsWeak /dev/random<= 6.6RNGsNo kernel PRNG<= 6.6** Effectiveness still limited by low entropy upper bounds75
76. ConclusionsMostly ok on toolchain sideSome weak defaults, some linker mistakesProblems reside on OS-sideQNX cannot benefit directly from work in GP OS security because not easy to port 1-to-1Result: homebrew DIY mitigationsLack of prior attention by security researchers is evidentVulns that feel like they’re from the early ‘00sEmbedded RNG design remains difficultEntropy issues means design burden rests with system integrators76
77. ConclusionsQNX attempts to keep up with GP OS securityOne of the few non-Linux/BSD/Windows based embedded OSes with any exploit mitigationsSee ‘The RTOS Exploit Mitigation Blues’ @ Hardwear.io 2017Quick & extensive vendor response, integration of feedbackNeed more attention to embedded OS security in general77
78. Questions?See ‘Dissecting QNX’ whitepaper@s4mvartakaj.wetzels@midnightbluelabs.comwww.midnightbluelabs.com@bl4ckic3ali@ali.re