Source |
ProjectZero |
Identifiant |
8221923 |
Date de publication |
2022-11-10 13:10:11 (vue: 2022-11-25 18:05:33) |
Titre |
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain |
Texte |
Maddie Stone, Project ZeroNote: The three vulnerabilities discussed in this blog were all fixed in Samsung's March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later.As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they're using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. Over the past few years there's been tremendous progress in vendor's transparently disclosing when a vulnerability is known to be exploited in-the-wild: Adobe, Android, Apple, ARM, Chrome, Microsoft, Mozilla, and others are sharing this information via their security release notes.While we understand that Samsung has yet to annotate any vulnerabilities as in-the-wild, going forward, Samsung has committed to publicly sharing when vulnerabilities may be under limited, targeted exploitation, as part of their release notes. We hope that, like Samsung, others will join their industry peers in disclosing when there is evidence to suggest that a vulnerability is being exploited in-the-wild in one of their products. The exploit sampleThe Google Threat Analysis Group (TAG) obtained a partial exploit chain for Samsung devices that TAG believes belonged to a commercial surveillance vendor. These exploits were likely discovered in the testing phase. The sample is from late 2020. The chain merited further analysis because it is a 3 vulnerability chain where all 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component. This exploit analysis was completed in collaboration with Clement Lecigne from TAG.The sample used three vulnerabilities, all patched in March 2021 by Samsung: Arbitrary file read/write via the clipboard provider - CVE-2021-25337 |
Envoyé |
Oui |
Condensat |
#else #endif #ifdef ¤t &decon &kbasep &kctx ®s &s &sigmask &signalfd &sync &user &v4 read log uri if long throw the operator /** * errno read set unsigned userspace write * * * *+ */+ */static /** * = a51:/ about allow atomic command decon fence find kctx now o oid once other post sync the this triggering typedef update user void vulnerability we working **sync */ */by */int */void *args *b60 *bc0: *buf *buf; *caller *cli; *ctx *ctx; *data *decon *fence *fence; *file *file; *filp *kaddr *kctx *mask *next *regs *regs; *sync *win /* /** /*+ />like /data/data/com /data/log/ /data/log/sec /data/system/users/0/ /data/system/users/0/newfile /data/user /dev/kmsg /dev/kmsg$ /dev/kmsgcrw /dev/socket/logdr /proc//fd/ /proc/config /proc/mounts /proc/sec /sys/kernel/debug /sys/kernel/debug/mali/mem/ /system/bin/dumpstate /system/etc/init/dumpstate /system/framework/framework 000+ 0000000000000000 0000000000000001 0000000000000004 0000000000000008 000000000000000a 000000000000000b 000000000000001d 0000000000000026 0000000000000124 000000000000be00 000000000041bd50 000000000ecc0408 0000000020400145 000000004004be30 000000004004befe 0000000080000000 0000007fffffffff 012/a515fxxu4dub1:user/release 01a51:/ 01rel1 0444 0; 0; if 0because 0ll; s 0x1000 0x1010101;fake 0x140 0x2000 0x2071b0+0x1094e80;fake 0x4004befe 0x40148008 0x7f 0x7f;fake 0x7fffffffff 0x7fffffffff; write 0x80 0xfe 0xffffff8000000000 0xffffff8014c2bb40 0xffffff8014c2bc80 0xfffffffffffbfeff 0xfffffffffffcfeff 0xffffffffffffffff 1000 113 15:37:03 17664ll; * 18; v650 1; 20034833 200720 2014 2019 2020 2021 2022 2022: 20899478 21:48 2215 25337 25337kernel 25369 25369use 25370 25370the 25943 4: 4the 635627 635654 635663 635675 635682 635689 635701 635710 635720 635731 635738 635746 635753 635760 635766 635775 635781 635789 635796 635802 635809 635816 635823 635829 635836 635843 90808 99002 ;#define ;#endif ;#if ;#ifdef ; ; ; getcontext ; return ; if ; ioctl ; dump ; durationreporter::durationreporter ; if ; lobyte ; let ;according ;after ;allow ;fixing ;heap ;return ;samsung ;the ;to ;unlike ;uri ;vals > >/data/system/users/0/newfile >addr >args >buffer >config >dev >dt >dump >extra >f00 >fence >file >fmt >kbdev >kctx >len >list >lock >mem >metadata >pid >private >retire >sighand >siglock >sigmask >signalfd >stub >up >update >vctx @arg: @buffer: @cb: @cmd: @fence: @file: @filp: @len: @padding: @sync @user @wq: a50 a505f a51 a515f aarch64a51:/ aasa ability able about above above: abstract abused accept accepted access accessible accessing according acquires across act act: acting active actually add add: added adding addition additional addr address addresses adobe advantage africa after against aid alinux all allocate allocated allowing allows already also alternative always alz analyses analysis androi |
Tags |
Vulnerability
Threat
Guideline
|
Stories |
|
Notes |
|
Move |
|