Critical Vulnerability in Samsung Android Smartphones

Android

weak spot can be seen on Android smartphones that are powered by the Samsung Exynos 4210 and 4412 CPUs to run code with kernel privileges. Thus, on the one hand owners of the affected smartphones get root rights – on the other hand, the gap is also to inject malicious code from malicious apps.

Vulnerability in Android Smartphones affects the critical kernel memory

The user has alephzain documented in Xda-developers forum that all users of the device file / dev / mem-Exynos both read and write access to the whole memory of the smartphone. This also affects the critical kernel memory. According to the report, the device file is used, inter alia, of the camera app and for the HDMI output.

 Affected Android Smartphones

The gap should be easy to exploit. Obviously affected are the Samsung Galaxy S3 device, Galaxy S2 and Galaxy Note 2 and the Meizu MX. Furthermore, could also all other equipment to be affected with the two Exynos processors.

There is already a first app that takes advantage of the memory access within the meaning of smartphone owners: It gives him root privileges and then allows the closing of the gap, however, after which the camera can no longer be used.

Some Details about Vulnerability in Android Smartphones

/dev/exynos-mem seems to be used for graphic usage like camera, graphic memory allocation, hdmi.
By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires)
The operations allowed on the device are (from linux/drivers/char/mem.c) :

Code:
static const struct file_operations exynos_mem_fops = {
    .open       = exynos_mem_open,
    .release    = exynos_mem_release,
    .unlocked_ioctl = exynos_mem_ioctl,
    .mmap       = exynos_mem_mmap,
}

and the default permissions (from linux/drivers/char/mem.c) :

Code:
#ifdef CONFIG_EXYNOS_MEM
    [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH
            | S_IWOTH, &exynos_mem_fops},
#endif

ioctl request on /dev/exynos-mem permit to clean / flush L1 and L2 cache, set non cacheable page memory and set physical memory address for use with mmap.
Now the interesting part : mmap operation.
The only limit is to restrict access to lowmem (from linux/drivers/char/exynos-mem.c) :

Code:
/* TODO: currently lowmem is only available */
if ((phys_to_virt(start) < (void *)PAGE_OFFSET) ||
    (phys_to_virt(start) >= high_memory)) {
    pr_err("[%s] invalid paddr(0x%08x)\n", __func__, start);
    return -EINVAL;
}

The comment in above code could be frightening.

And an eye in Documentation/arm/memory.txt say :

Code:
Start       End             Use
--------------------------------------------------------------------------
PAGE_OFFSET high_memory-1   Kernel direct-mapped RAM region.
                            This maps the platforms RAM, and typically
                            maps all platform RAM in a 1:1 relationship.

In other words, this device only permit to own the physical memory including kernel code.
The question is why permissions are set to read/write for all in kernel AND in ueventd.smdk4x12.rc:

  • samsung developer in charge of this would lose his job
  • some samsung apps with basic rights need to access it (I doubt it)
  • a huge mistake

A simple patch for Android Smartphones could be applied to set permissions to 0660 or 0600 in ueventd. smdk4x12.rc, but I don’t know how it would affect samsung applications/services.

Summary

An additional fix for the same forum to bridge the gap as well, in this case the camera is to remain usable.Other possible limitations in Android smartphones include the responsible user is not sufficient.

Spread the love

Leave a Comment