Security
researchers from Viral Security Group Ltd. have managed to bypass the
Samsung KNOX security features by exploiting vulnerabilities that render
unpatched devices susceptible to compromise.
To
successfully bypass Samsung’s security, the researchers focused on a
module called TIMA RKP (Real-time Kernel Protection), which is
responsible for defending against kernel exploits. A standard root
exploit can subvert the kernel and code can be executed in the system
user context, researchers say.
According to a paper
detailing the experiment, a malicious actor with access to the system
account could replace legitimate apps with rogue software that has
access to all available permissions, all without the user noticing.
Furthermore, the RKP module can be abused to achieve root privileges,
and the security researchers even managed to load a kernel module to
remount the /system partition as writable.
To subvert the RKP module, the researchers abused the CVE-2015-1805 write-what-where kernel vulnerability, using the open-source exploit implementation dubbed iovyroot. A generic Linux exploit, iovyroot has been devised to leverage said flaw on recent Samsung devices, including Galaxy S6 and Galaxy Note 5, researchers say.
The
RKP module, researchers say, has two layers, one interwoven with the
Linux kernel, and another residing in the ARM TrustZone as a hypervisor.
The RKP was meant to mask and protect certain areas of kernel memory,
as it can perform its own checks and validations, hidden and independent
of the kernel.
The issue with the RKP was found to be a special function rkp_override_creds, which replaces the regular kernel function override_creds,
and which can be used to temporarily override the current process
credentials. By leveraging this bug, researchers tried to achieve root
by having the RKP override the credentials with root values, but failed, because “the hypervisor side does not take nicely attempts to override process credentials with root values.” However, it does accept system values, researchers say.
While still attempting to achieve root, the researchers discovered a file called vmm.elf,
which turned out to be the RKP module itself, and were able to find in
it the function that would allow them to achieve root. However, they
discovered that the available permissions were limited, and that running
a kernel module would provide privilege escalation, an achievable
operation, especially since Samsung’s Galaxy S6 allows for the insertion
of kernel modules.
The
modules, however, need to be signed, and the verification is performed
by Mobicore micro-kernel residing in ARM’s TrustZone. Nonetheless,
because the verification was triggered only when the lkmauth_bootmode variable was set to BOOTMODE_RECOVERY, the security researchers used a kernel writing vulnerability to overwrite the value and disable the signature verification.
“At
this point, we could easily load any kernel module we desired,” the
researchers note. The 3 vulnerabilities that allowed for the successful
exploitation of Samsung KNOX were named KNOXout. Tracked as CVE-2016-6584, the flaws are privilege escalation issues and have been already disclosed to the vendor.
Some of the remediation solutions proposed by the security researchers include treating system permissions similar to root; performing a PID check later in the permission-granting process, because RKP grants processes with PID 0 root privileges (and the researchers leveraged that); and placing the lkmauth_bootmode variable and the security_ops structure in an RKP-protected, read-only page.
Related: Critical Vulnerability Breaks Android Full Disk Encryption
No comments:
Post a Comment