2012-09-19 09:21:29

By Tim Brown

Disclaimer: I've only had a brief look at 1.x so far and only under VMware. I do have a PlayBook which I'll be breaking in due course but right now it's still in the box. These notes have been floating around in one form or another privately for a while but I wanted to commit them publicly since I'm not sure when I will find time to continue playing.

So I installed the RIM PlayBook simulator (a VMware image) to have a play. It's basically an updated release of QNX. Some notes:

I rooted it by uploading a binary as devuser and then modifying the inetd.conf to enable execution as root when you hit the telnet port. I needed to do this from outside of the simulator (there's no blessed way to get root). Anyway, once this had been done I was able to poke around some more. I needed a more complete UNIX tool chain (gdb etc) so I copied them from QNX.

Opening more than 19 browser tabs causes it to crash - yet to find out why, since the PlayBook doesn't like QNX's gdb at least for the processes I've tried to debug so far :(

There are four setuid bins:

  • -rwsr-x--x 1 root nto 45188 Jun 27 2011 /base/usr/bin/ping
  • -rwsr-x--x 1 root nto 58236 Jun 23 2011 /base/usr/bin/ping6
  • -rwsr-x--x 1 root nto 45676 Jun 23 2011 /base/usr/bin/traceroute
  • -rwsr-x--x 1 root nto 40472 Jun 23 2011 /base/usr/bin/traceroute6

And some listening processes:

  • tcp 0 0 *.4455 *.* LISTEN
  • tcp 0 0 *.443 *.* LISTEN
  • tcp 0 0 *.80 *.* LISTEN

The following ports are opened after you run /opt/bbndk-1.0/host/linux/x86/usr/bin/blackberry-connect 172.16.98.146 -password <devicepassword> -sshPublicKey <publickeyfordevuser>

  • tcp 0 0 *.22 *.* LISTEN
  • tcp 0 0 *.8000 *.* LISTEN
  • tcp6 0 0 *.22 *.* LISTEN

As NGS pointed out it's possible to browse the filesystem - NGS neglected to say in their white paper but it's very easy, just use file: from the browser. For NGS 0day number 2, use .. to traverse the file system.

If you enable Web Inspector (the DOM debugger that comes with WebKit browsers), the browser will first prompt for a password and then offer to open 127.0.0.1 and ::1 1337/tcp. However my nmap results show that the port is actually open on all interfaces.

I was also able to make the browser crash and/or hang by browsing to http://127.0.0.1:1337/inspector.html?page=<badvalue>. Again without a working gdb it's difficult to know exactly what is happening.

ASLR give 16 bits of entropy for addresses (top 4 bits are 0 and last 12 are always the same for a given relative position) . LD_DEBUG=all still works which may help a little in exploit writing in the absence of a working gdb. It was also identified that /scripts/dumplog.sh will list debug logs and identify any core files since last boot.

The PlayBook supports SMB so I thought I'd check out the passwords that were configured. Turns out that the nobody user receives the device password (it's stored as LM and NT format hashes) but there's another user "dtm" who only has a NT format hash. I will try and crack that in due course but here it is if you want to try:

dtm:101:NO PASSWORD*********************:F80A8A1041285144185CF416F362135F:::

It's worth noting that the Dingleberry jailbreak used Samba to root the real PlayBook.

Mood: Hungry

Music: Nothing playing right now

You are unknown, comment