Samsung: Stack buffer overflow in OTP TrustZone trustlet
Reported by firstname.lastname@example.org, Sep 13 2016
As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens. The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the "OTP" service, published by "otp_server". Many of the internal commands supported by the trustlet must either unwrap or wrap a token. They do so by calling the functions "otp_unwrap" and "otp_wrap", correspondingly. Both functions copy the internal token data to a local stack based buffer before attempting to wrap or unwrap it. However, this copy operation is performed using a length field supplied in the user's buffer (the length field's offset changes according to the calling code-path), which is not validated at all. This means an attacker can supply a length field larger than the stack based buffer, causing the user-controlled token data to overflow the stack buffer. There is no stack cookie mitigation in MobiCore trustlets. On the device I'm working on (SM-G925V), the "OTP" service can be accessed from any user, including from the SELinux context "untrusted_app". Successfully exploiting this vulnerability should allow a user to elevate privileges to the TrustZone TEE. I've attached a small PoC which can be used to trigger the overflow. It calls the OTP_GENERATE_OTP command with a large length field which overflows the trustlet's stack. Running it should crash OTP trustlet. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
Dec 12 2016,
Samsung has started rolling out the fix this month. Deadline exceeded -- automatically derestricting.
Dec 31 2016,
Jan 3 2017,
Newest version (G925VVRU4CPK2_G925VVZW4CPK2_VZW) remains unpatched.
Jan 4 2017,
G925VVRU4CPK2_G925VVZW4CPK2_VZW was on the November SMR -- verified fix on G930FXXU1BPLB_G930FUUB1BPL4_UPO.
Feb 3 2017,
Sign in to add a comment