Post on 01-Jan-2016
description
Defcon 14 - Las Vegas, NV USA 2006
Blackjacking –0wning the Enterprise via Blackberry
Jesse ‘x30n’ D’Aguanno•x30n@digrev.org•jesse@praetoriang.net
Defcon 14 - Las Vegas, NV USA 2006 2
Hello, My name is…
$ whois x30n– Founder / Director Prof Services
• Praetorian Global, LLC
http://www.praetoriang.net
– Member / Team Captain• Digital Revelation – Security Research Group & 2 time
winners, Defcon CTF
http://www.digrev.org
Blackjacking – 0wning the Enterprise via Blackberry
Defcon 14 - Las Vegas, NV USA 2006 3
Who uses Blackberry?• Who doesn’t?
• Market share lead for handhelds.– Gartner
• “Government workers and emergency personnel would be exempt from a possible shutdown”– Computerworld
Blackjacking – 0wning the Enterprise via Blackberry
Defcon 14 - Las Vegas, NV USA 2006 4
The “solution” – Background
• Typical Corporate Blackberry Installation
Blackjacking – 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
Blackberry
`
User’s Workstation
App Serv
MS Exchange
BES
Wireless Providers
Blackberry Blackberry
Blackberry Blackberry
USB
Defcon 14 - Las Vegas, NV USA 2006 5
The “solution” – Background
• Outgoing BES to RIM connection
Blackjacking – 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
Outbound TCP ConnectionBES to RIM
Defcon 14 - Las Vegas, NV USA 2006 6
The “solution” – Background
• Persistent Tunnel – BES and RIM
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
Persistent Tunnel BetweenYour BES and RIM
Blackjacking – 0wning the Enterprise via Blackberry
Defcon 14 - Las Vegas, NV USA 2006 7
The “solution” – Background
• Persistent Tunnel – BES and BB Device
Blackjacking – 0wning the Enterprise via Blackberry
RIM Net
Internet
Internal LAN
MS Exchange
BES
Wireless Providers
Blackberry
Persistent Tunnel Between
Your BES and BB Device
Defcon 14 - Las Vegas, NV USA 2006 8
RIM Net
Internet
Internal LAN
MS Exchange10.1.1.10
Wireless Providers
Blackberry
Persistent Tunnel Between
Your BES and BB Device
Blackberry
BES / MDS10.1.1.12
App Serv10.1.1.20
The “solution” – Background
• BB device now virtually on internal network
Defcon 14 - Las Vegas, NV USA 2006 9
The “solution” - Review
• BES / MDS creates outbound, persistent connection to RIM network
• Blackberry device then virtually placed on internal network (Wherever BES / MDS exists)
• “always-on always connected”
• Wireless carrier independent
Defcon 14 - Las Vegas, NV USA 2006 10
Problem with “solution”
• Attitude of handhelds– Only security of data on handheld usually
considered– Not impact of handheld on rest of network
• Blackberries are computers with constant connection to corporate LAN
• Not treated like other remote access. i.e. VPN / Dial-in
Defcon 14 - Las Vegas, NV USA 2006 11
Problem with “solution”
• Guess what, we can exploit this problem!
• Enter BBProxy…
Defcon 14 - Las Vegas, NV USA 2006 12
Step 1 – External Connection
• Create an outbound socket connection from Blackberry device to attacker controlled host on the internet.
Defcon 14 - Las Vegas, NV USA 2006 13
Step 1 – External Connection
Internet
Internal LAN
Blackberry
App Serv
MS Exchange
Attacker Host
Outbound Connection via MDS
Defcon 14 - Las Vegas, NV USA 2006 14
Step 2 – Secondary Connection
• From attacker controlled host, we then initiate a subsequent socket connection to a second host – including internal hosts.
Defcon 14 - Las Vegas, NV USA 2006 15
Step 2 – Secondary Connection
Internet
Internal LAN
Blackberry
App Serv
Attacker Host
Outbound Connection via MDS
Secondary Connection
Defcon 14 - Las Vegas, NV USA 2006 16
Step 3 – Proxy connection between external and internal host
• Blackberry then proxies all data between hosts.
Defcon 14 - Las Vegas, NV USA 2006 17
Step 3 – Proxy connection between external and internal host
Internet
Internal LAN
Blackberry
App Serv
Attacker Host
Proxy ConnectionExternal Host to
Internal Host
Defcon 14 - Las Vegas, NV USA 2006 18
BBProxy
• Sweet! So now we can directly communicate with any port on an internal host from an external host – Right through our little blackberry handheld.
Defcon 14 - Las Vegas, NV USA 2006 19
Demo -
• Let’s check it out…
• Interaction with internal service
Defcon 14 - Las Vegas, NV USA 2006 20
Demo -
Internet
Internal LAN
Blackberry
Internal ServerBehind Firewall
External Host
Interaction w /Internal service e .gTelnet , WWW , etc .
Defcon 14 - Las Vegas, NV USA 2006 21
BBProxy
• OK, cool, we can now telnet to an internal box or ssh or even grab intranet sites.
• But can we do anything cooler?
• This is Defcon… Aren’t we going to attack something? OF COURSE!
Defcon 14 - Las Vegas, NV USA 2006 22
Metasploit!
• Enter Metasploit…
• “Point Click Root”… “Now with Blackberry flavor!”TM
• C’est impossible!
Defcon 14 - Las Vegas, NV USA 2006 23
Metasploit!
• Top level (“listener”) function added to metasploit to create a listening socket on port 1455 (default)
• When a connection is received, verifies BBProxy handshake
• Once connected, the connection is available to any exploit within the framework… Just need to call it.
Defcon 14 - Las Vegas, NV USA 2006 24
Demo -
• Let’s do it…
• Exploitation of Vulnerable service behind corporate firewall…
Defcon 14 - Las Vegas, NV USA 2006 25
Demo -
Internet
Internal LAN
Blackberry
Vulnerable ServerBehind on LAN
Attacker HostWith Metasploit
Attack vulnerableservice on internal host
Defcon 14 - Las Vegas, NV USA 2006 26
Metasploit! – Porting an exploit
• Very easy to plug-in to usable exploits
• Let’s walk through one…
– msasn1_ms04_007_killbill.pm
Defcon 14 - Las Vegas, NV USA 2006 27
Metasploit! – Porting an exploit• Patch msasn1_ms_04_007_killbill
exploit@@ -93,7 +93,8 @@ my $target_idx = $self->GetVar('TARGET'); my $target_app = $self->GetVar('PROTO'); my $shellcode = $self->GetVar('EncodedPayload')->Payload;- my $target = $self->Targets->[$target_idx];+ my $target = $self->Targets->[$target_idx];+ my $s = $self->GetVar('PROXYCONN');
– Here we set $s to the value of the global variable PROXYCONN (Our proxy connection)
Defcon 14 - Las Vegas, NV USA 2006 28
Metasploit! – Porting an exploit
• Patch msasn1_ms_04_007_killbill exploit $self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
@@ -124,17 +125,34 @@ "\x08\x00\xeb\xfe";
my $token = SPNEGO::token($stage0, $shellcode);- my $sock = Msf::Socket::Tcp->new- (- 'PeerAddr' => $target_host,- 'PeerPort' => $target_port,- 'SSL' => $self->GetVar('SSL'),- );-- if ($sock->IsError) {- $self->PrintLine("[*] Could not connect: ".$sock->GetError());- return;- }
– We remove the standard socket build stuff
Defcon 14 - Las Vegas, NV USA 2006 29
Metasploit! – Porting an exploit
+ if (!$s) {+ my $s = Msf::Socket::Tcp->new+ (+ 'PeerAddr' => $target_host,+ 'PeerPort' => $target_port,+ 'SSL' => $self->GetVar('SSL'),+ );++ if ($s->IsError) {+ $self->PrintLine('[*] Error creating socket: ' . $s-
>GetError);+ return;+ }+ } else {+ $s = $s;+ }
– And only do it if PROXYCONN wasn’t set
Defcon 14 - Las Vegas, NV USA 2006 30
Metasploit! – Porting an exploit
+
+ my $sock = $s;
+ $sock->Send($target_host.":".$target_port."\n");
– Otherwise use our previous proxy connection and send the appropriate string to start the subsequent connection
Defcon 14 - Las Vegas, NV USA 2006 31
Metasploit! – Porting an exploit+ sleep(2);+ print $sock->Recv();+ sleep(2);+
– Sleep a bit to allow the second connection to be established, then do it!
if ($target_app eq 'http') { return $self->ExploitIIS($sock, $token);@@ -176,7 +194,7 @@ if ($resp =~ /0x80090304/) { $self->PrintLine("[*] Server responded with error code 0x80090304"); }-+ sleep(10); $self->Handler($sock); $sock->Close; return;
Defcon 14 - Las Vegas, NV USA 2006 32
Metasploit – Current Limitations
• Use with current BBProxy limited to tcp based exploits – won’t require much to allow udp
• Reliable exploitation with “vanilla” tcp connections – Problems encountered with some RPC and special protocol exploits.
• Plan to rework to remove these limitations
Defcon 14 - Las Vegas, NV USA 2006 33
IDS evasion goodness
• Each newer device has onboard tcp/ip stack
• No need for MDS to make connection
• Simple to choose connection type in code– “deviceside=‘true’” or “deviceside=‘false’” in
connection string• First connection from device side (Direct from
carrier network). Second connection through MDS…
• Nothing on the border can see our traffic (It’s all encrypted by RIM’s tunnel )
Defcon 14 - Las Vegas, NV USA 2006 34
IDS evasion goodness
CarrierNetwork
Internet
Attacker controlledbox
Wireless Providers Blackberry
First Connection
Defcon 14 - Las Vegas, NV USA 2006 35
IDS evasion goodness
RIM Net
Internet
Internal LAN
VulnerableServer
Blackberry
Blackberry
Virtual Tunnel
Second (Exploit )Connection
Defcon 14 - Las Vegas, NV USA 2006 36
IDS evasion goodness
CarrierNetwork
RIM Net
Internet
Internal LAN
VulnerableServer
Attacker controlledbox
Wireless Providers Blackberry
Blackberry
Virtual Tunnel
Second (Exploit )Connection
BES/MDS
EncryptedPersistent Tunnel
First Connection
Defcon 14 - Las Vegas, NV USA 2006 37
IDS evasion goodness
• Just like…
Internet
Internal LAN
VulnerableServer
Firewall / IDSSees nothing
Attacker controlledbox
`
First Ethernet Connection
Second Ethernet Connection
Defcon 14 - Las Vegas, NV USA 2006 38
Else
• Problem– BBProxy requires control of device (Interactive
app)
• Solution– First and only blackberry trojan (That I know of)!
Defcon 14 - Las Vegas, NV USA 2006 39
Trojan – Hot Game 2006
• Same functionality as BBProxy
• User only sees game interface (TicTacToe)
• Over the air download!
• Easily integrated with other network discovery functions and more covert methods of control (IRC, etc.)
Defcon 14 - Las Vegas, NV USA 2006 40
Demo -
• Let’s do it…
• Exploitation of Vulnerable service behind corporate firewall while user plays TicTacToe
Defcon 14 - Las Vegas, NV USA 2006 41
Code Signatures
• RIM requires code (.cod) to be signed with RIM assigned private key to use proprietary APIs, network access without confirmation, etc.
• $100 USD processing fee to verify identity of signature requestor
• Credit card name and address used for verification of ID
Defcon 14 - Las Vegas, NV USA 2006 42
Code Signatures – Prepaid Credit Cards!
• Prepaid CCs allow online transactions by ignoring the name and address fields
• No need to steal credit card number
• Widely available in mini markets and grocery stores everywhere
• Works!
Defcon 14 - Las Vegas, NV USA 2006 43
Review
• We can talk to hosts behind the corporate firewall
• We can attack them
• We can subvert IDS or data logging
• We can do it in a trojan
• We can sign our trojan anonymously and use all APIs
• It gets worse! (or maybe better…)
Defcon 14 - Las Vegas, NV USA 2006 44
Device Provisioning
• Ease of use vs. Security always a fight– Ease of use wins!
• Extremely easy to add a new device – just plug it in…
• New device is then provisioned for use on the BES
Defcon 14 - Las Vegas, NV USA 2006 45
Blackjacking – Hijacking blackberry connection
• BB devices are identified by their unique PIN
• Blackberry user plugs in new device to PC
• New PIN is recognized
• Encryption keys are generated and stored on BB handheld
Defcon 14 - Las Vegas, NV USA 2006 46
Blackjacking – Hijacking blackberry connection
• Device PIN and new key pushed to Exchange via MAPI
• Info stored in “BlackberryHandheldInfo” folder in users mailbox
• New device is now routing through MDS
• This can be automated!
Defcon 14 - Las Vegas, NV USA 2006 47
Blackjacking – Hijacking blackberry connection
• Work in progress…– Trojan to automate BB hijack process– Utilizing other delivery mechanisms– Everything else…
Check www.praetoriang.net or www.digrev.org for updates.
Defcon 14 - Las Vegas, NV USA 2006 48
References
• Code and Updated Slides can be found at http://www.praetoriang.net/presentations/blackjack
or
http://www.digrev.org/blackjack
• http://www.blackberry.com/security
Defcon 14 - Las Vegas, NV USA 2006 50
Thanks / Greetings…
• Digital Revelation (DigRev)
• Pablo_marx
• FX
• Ian Robertson (RIM)