Windows Pwn 7 OEM – Owned Every Mobile?

Alex Plaskett

Windows Phone 7 is new to the market and has thus not been as widely tested as Android and iOS alternatives. This talk seeks to give an overview of the platform and some security issues.

< Full slides from the Bluehat version of this presentation are available here >

< What follows are notes from the presentation incase they differ from the previously presented information >

Windows Phone OS 7

Same base OS across all OEM phones. However OEMs are permitted to make changes and give them the ability to customise the systems.

Windows Phone 7 is meant to be a closed platform. Changes to the underlying OS aren’t meant to be made by the user, and thus are undocumented.

Custom Windows CE 6/7

Arm v7 processor

32bit platform

Application Model

No native code for 3rd party developers

Third party apps are C# Silverlight/XNA Framework .NET CLR

Applications require to be signed

No side loading

Marketplace validation

Security features

Chamber based security model

Dynamic Capabilities (LPC Chamber)

WPManifest.xml

ID_CAP_CAMERA

ID_CAP_INTEROPSERVICES

ID_CAP_….

Code Signing (LPC)

In ROM binaries implicitly trusted

Any further binaries require signing

Exception is developer unlocked devices

Policy files contain a hash of the signing certificate. If validates this grants the application LV_ACCESS_EXECUTE

Loader Verifier Module (LVMOD)

Kernel Based Module (TCB)

Authentication and Authorisation

Policy Framework

Code Signing

accountdb.vol

Controls all authentication and authorisation on the device.

Policy Framework

XML based

Module Policy XML Combined

Centralised policydb.vol database

TCB Protected

Exploit Mitigation

ASLR (Address Space Layout Randomization)

XN (Execute Never)

WP7 Exploit Development

Crash dumps don’t provide much information (128k of data). It’s also not easy to access the dump files as they’re stored in a location not accessible from within the sandbox. By abusing the ID_CAP_INTERSERVICES it’s possible to use OEM device drivers to access the underlying filesystem.

As WP7 implements ASLR and NX, a vulnerability is required to gain code execution inside the least privilege sandbox. A further exploit is needed to gain full permissions and access to the really interesting data.

Other platform OEM Vulnerabilities

By examining bugs in other platforms that were introduced by OEMs it can be seen the OEMs elevated privileges to phones has caused bugs in the past.

Android

HTC Browser INSTALL permissions



HTC Sound Recorder



HTC Logger

iPhone / Blackberry

N/A (no OEM) Vulnerabilities

Device Fingerprinting

Simple User-Agent detection



HTC; HD7…..



UA-CPU: ARM

Browser Exploitation

Not patched currently (details will be released with patch)

Requires ASLR/XN bypass for arbitrary code

Stuck in LPC Chamber

OEM Introduced issue with ID_CAP_INTEROPSERVICES

Used to access drivers and services



Undocumented



Microsoft.Phone.InteropServices.dll



WPInteropManifest.xml

Device Driver Vulnerability

Samsung device driver that grants arbitrary read/write to kernel memory

Bypass TCB (Trusted Computing Base)



Patch system call handlers to point to attacker controlled code

Samsung PROVXML directory traversal vulnerability

Write to a directory you have write access to



Can’t create new processes

Samsung driver for creating new processes

OEM functionality



Fake certs



Fake signatures



Backdoor



… Mango and Onwards Patches some of these issues

Still allows OEMs to bypass the security model

Links :

Windows Pwn 7 OEM – Owned Every Mobile? –> Overview

Blue Hat v11 Technical – Windows Pwn 7 OEM Slides –> PDF