Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 938 Samsung: Stack buffer overflow in OTP TrustZone trustlet
Starred by 4 users Project Member Reported by laginimaineb@google.com, Sep 13 2016 Back to list
Status: Fixed
Owner:
Closed: Jan 4
Cc:



Sign in to add a comment
As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens.

The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the "OTP" service, published by "otp_server".

Many of the internal commands supported by the trustlet must either unwrap or wrap a token. They do so by calling the functions "otp_unwrap" and "otp_wrap", correspondingly.

Both functions copy the internal token data to a local stack based buffer before attempting to wrap or unwrap it. However, this copy operation is performed using a length field supplied in the user's buffer (the length field's offset changes according to the calling code-path), which is not validated at all.

This means an attacker can supply a length field larger than the stack based buffer, causing the user-controlled token data to overflow the stack buffer. There is no stack cookie mitigation in MobiCore trustlets.

On the device I'm working on (SM-G925V), the "OTP" service can be accessed from any user, including from the SELinux context "untrusted_app". Successfully exploiting this vulnerability should allow a user to elevate privileges to the TrustZone TEE.

I've attached a small PoC which can be used to trigger the overflow. It calls the OTP_GENERATE_OTP command with a large length field which overflows the trustlet's stack. Running it should crash OTP trustlet.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
OneWhoKNOX.java
1.9 KB View Download
Project Member Comment 1 by laginimaineb@google.com, Dec 12 2016
Labels: -Restrict-View-Commit Deadline-Exceeded
Status: Started
Samsung has started rolling out the fix this month. Deadline exceeded -- automatically derestricting.
Project Member Comment 2 by laginimaineb@google.com, Dec 31 2016
Labels: SVE-2016-7173
Project Member Comment 3 by laginimaineb@google.com, Jan 3
Status: New
Newest version (G925VVRU4CPK2_G925VVZW4CPK2_VZW) remains unpatched.
Project Member Comment 4 by laginimaineb@google.com, Jan 4
Status: Fixed
G925VVRU4CPK2_G925VVZW4CPK2_VZW was on the November SMR -- verified fix on G930FXXU1BPLB_G930FUUB1BPL4_UPO.
Project Member Comment 5 by laginimaineb@google.com, Feb 3
Summary: Samsung: Stack buffer overflow in OTP TrustZone trustlet (was: Stack buffer overflow in OTP TrustZone trustlet)
Sign in to add a comment