Jeff Chao is Sr. Vulnerability Researcher at Team T5. CTF Player, won 2nd place in Defcon 22 & 25 as team member of HITCON. Focus on linux and android binary exploitation.
[Abstract]
==========
Samsung Knox Active Protection provides many protection to against unauthorized changed on its devices. Especially, there is a one time fuse(KNOX Bit) to prevent un-trusted boot. If the device try to boot from modified image, it will set up the fuse. Once the fuse is set, the device can no longer access KNOX container, Samsung Pay and previous stored keys in Keychain.
We combined 2 CVE and 1 privately patched vulnerabilities to achieved remote persistence root without KNOX bit blew.
First vulnerabilities is CVE-2016-3861, heap overflow during UTF16 string conversion in libutil. We port the Project zero’s POC on Nexus to Samsung device. Due to Samsung has modified libmedia.so, the object used in the POC can’t directly use for Samsung device. Since the structure size and offset was changed, we need another method to leak the address and control the program flow.
Then we need a privilege escalation, we use dirtycow(CVE-2016-5291) to gain root permission. But only root is not enough, we have to conquer the SELinux context limitation. In the end, Cadmium, a exploit brief leaked from Vault7, can hijack device boot flow. In other words, we have a very early code execution that can bypass the KNOX protection. With these vulnerabilities, we complete a perfect remote root on Samsung Galaxy S6.