NoConName – Attack Surface Analysis of Windows CE/Mobile 5
Hola again! Well, that’s my Spanish out the way. Oh, wait – dos cervezas por favor ;-). Anyway, I was invited down to Spain by the kind folk of NoConName (thanks to Nico and crew – Majorca is lovely!) to deliver a presentation on some research I had done at the start of the year when I first joined the Advanced Threat Research team (research that I had alluded to in an earlier blog entry on an attack surface analysis of Windows CE 5 and Windows Mobile 5.
This is a rundown of the NoConName version of my presentation:
• Introduction & Context
• Overview of Windows CE
• Windows CE Security Model
• Analysis Findings
• Windows CE and Security Patches
The first three sections are pretty self explanatory and way too long to cover in single blog posting. I covered the last section, for the most part, in the previous blog post mentioned above. So, that leaves Analysis Findings and in my opinion, this is the most interesting section. Before my dinner is cooked I’m going try and provide a summary of some of the highlights from this section. Due to certain constraints, this differs from the internal version I give where I spell out every single zero-day, but you’ll get the idea. I will only be covering a short subset of the findings in this blog entry and make a series of it. The following is a quick introduction to a key CE security feature; that is, “one-tier” versus “two-tier.”
One-Tier and Two-Tier
The concept of one-tier and two-tier devices can exist within Windows CE. One-tier devices in the Windows Mobile world are devices that run Windows Mobile PocketPC and Windows Mobile PocketPC Phone Edition. Two-tier devices are those that run Windows Mobile SmartPhone edition.
Microsoft defines the security on the Microsoft’s Developer Network for one-tier devices as: “One-tier security distinguishes between signed and unsigned applications. All signed applications run as Trusted on the device. Trusted applications can access every aspect of the device.“ In short, unsigned applications have a number of policies applied. Are unsigned applications allowed to run? If yes, does the user need to be prompted?
If they are allowed to run, they are run as trusted (that is to say, they can do anything on the device in question). On two-tier devices this differs slightly. This is intended to allow Microsoft, OEMs, or the operator to be able to restrict which APIs unsigned or untrusted code can leverage. These protected APIs are known as “Trusted APIs” and are documented on the Microsoft site. An overview of how APIs work in general in CE is also provided by Microsoft.
Two-tier, Signed: Application has its certificate checked against privileged and unprivileged store. This determines process permissions (privileged, trusted)
Two-tier, Unsigned Application: Will follow the same policy steps as a one-tier device. If allowed to run, will run as unprivileged (partial trust).
Two-tier, Partial Trust: Restricted access to APIs, including registry, file system, debugging, and process control.
In theory, this functionality stops unsigned code getting into the kernel and owning up the rest of the device.
Generic Buffer Overflow Protection
Unlike its desktop counterpart, Windows CE hasn’t had a visit from the security fairy to help provide lovely defense in-depth security features to mitigate common overflows. The result of which is that the /GS flag in Microsoft Visual Studio 2005 is not supported. The common mechanism to stop code from being executed from the heap is also not supported (i.e. DEP/NX). This being said, ARM now supports XN (eXecute Never) in some of their ARM v6 CPUs, although there is no out-of-the-box support in the CE 5 kernel. However, Visual Studio 2005’s SafeString handling libraries are supported and you do get a barrage of abuse at compile time about the unsafe equivalents being depreciated.
IP Protocol Stack
When fingerprinted, the IP stack on Windows CE 5 demonstrates Microsoft’s code reuse across product lines. Using NMAP 3.81 and a TCP SYN scan, Windows CE 5.1 is identified as “AXIS embedded, Cisco embedded, IBM MVS, Microsoft Windows 2003/.Net|NT/2K/XP|95/98/ME.” Using XPROBE 2 v.0.2.2, Windows CE 5.1 is guessed at 51% as “Windows Service Pack 2.” So, the obvious question came up: if code reuse is this high, are Microsoft patching CE inline with the desktop version when they find bugs in the IP stack? Short answer, no! For example, Windows CE 4.2 (Windows Mobile 2003 SE) is vulnerable to MS05-019 (Microsoft IP options stack overflow) and well, shall we say that there are others.
Unsigned or Untrusted Code
On two-tier devices, unsigned and untrusted code can still do an awful lot. Some of this functionality can be leveraged by malicious code, too. For example, it can send SMS messages, establish telephone calls, record telephone calls, and transmit via GPRS.
The last point is interesting because during the course of my research I found code that could run on a two-tier device that was unsigned and do exactly this. This is just the tip of the iceberg as to what unsigned or untrusted code can do, but it demonstrates the potential impact.
Conclusions for now
Based on the above, the following conclusions are apparent. Firstly, there is very little mitigation against security vulnerabilities, such as overflows, which can be used to remotely compromise devices. Secondly, Microsoft is either not testing the vulnerabilities they release against CE, or, if they are, they are not highlighting the fact that Windows CE/Mobile may also be vulnerable. Malicious code, once present on the device (although restricted in some capacity—I’ll go into this in more detail in the next issue), is not restricted from doing certain operations that may either breach user privacy or have a financial impact on the user of device (for example, premium-rate SMS services).
Anyway, I think that’s enough for people to mull over for now. When I find some more time I’ll blog on this again (I could rant for a week). Also, before I upset those Microsoft fans out there, I do acknowledge that Windows CE 6 changes everything – significantly. I’ve had a brief scout around and will blog about this in the future. However, until the Windows Mobile team indicates that they are going to be using Windows CE 6, it’s going to be run only on photocopiers and TV set-top boxes and the like. Oh, and for those of you out in Internet Land that are wondering, my dinner is now burnt.