[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2016-1920] VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3



Subject: [CVE-2016-1920] VPN Man-in-the-Middle due to shared certificate store 
on KNOX 1.0 / Android 4.3

Vulnerability Description
=========================
The vulnerability allows disclosure of Data-in-Motion of Samsung KNOX 1.0 
containers. 

In KNOX 1.0.0 the applications inside the container use the same certificate 
store as the outside Android environment. 
Android supports installing 3rd party certificates (following user 
authorization). Another useful feature in Android is the ability to create a 
VPN connection through which all traffic will be routed. 

Combining the above facts leads to a vulnerability allowing an attacker to 
perform a MITM attack on VPN traffic originating from within the KNOX container 

The attack sequence is as follows (all can be done without the user's knowledge 
for example when asking to make a phone call from his device): 
1. Install the malicious application requiring VPN-related permissions 
2. Install a 3rd party certificate 
3. Run the malicious application which starts a VPN connection. This will cause 
a notification to appear with the icon of the malicious application and name of 
the VPN connection. 

The ``red flag'' in form of the notification can be easily mitigated by the 
attacker. 
By using the KNOX icon and a benign name for the VPN connection such as ``KNOX 
Connectivity'' a non-tech-savvy will surely be persuaded that the notification 
is a legitimate part of KNOX and continue using the device normally. 

Affected System Configurations
==============================
We have tested and verified the vulnerability on the following devices, 
however, we believe that ALL Samsung devices running KNOX 1.0.0 are vulnerable 
1. Samsung Galaxy S3 
- Model Number: GT-I9305 
- Android Version: 4.3 
- Kernel Version: 3.0.31-2051278 dpi@DELL323 #1 
- Build Number: JSS15J.I9305XXUEML8 
- KNOX Version: 1.0.0 
- State: Rooted, via flashing a custom recovery and kernel. KNOX warranty bit 
tripped, technically disabling KNOX. KNOX was re-enabled (fully functional) 
using root capabilities 

2. Samsung Galaxy S4 
- Model Number: GT-I9505 
- Android Version: 4.3 
- Kernel Version: 3.4.0-1869009 se.infra@SEP-106 #1 
- Build Number: XXUEMJ5.CCOM 
- KNOX Version: 1.0.0 
- State: Rooted using SafeRoot. KNOX warranty bit not tripped, KNOX fully 
functional

Vulnerability Impact
====================
Prerequisite: 
- One-time access to an unlocked device allowing an attacker to install an 
application of his choosing 

Impact: 
- For as long as the VPN connection is active, all device traffic outside and 
inside KNOX will be routed through the VPN connection, 
allowing the malicious application to serve fake SSL/TLS certificates signed 
with its perviously installed 3rd-party certificate. 
Due to the shared certificate store, any application relying on a 
chain-of-trust verification will believe the certificate to be authentic and 
continue operating as normal, allowing the user to disclose his secret data to 
the attacker. 
- This attack will not persist after reboot as there is a need to manually 
start the VPN connection. 
- The attack doesn't involve any exploits and does not require knowing the 
user's KNOX password. 

Mitigation: 
- This attack was mitigated in KNOX 2.3.0 by introducing a separate certificate 
store for the KNOX environment. 
- The vulnerable code is in the system_server's code (services.odex) which can 
only be replaced by a full system update, potentially upgrading KNOX to 2.x.

Vendor Contact
==============
We contacted Samsung on December 9th, 2015 and have had detailed email 
exchanges with the vendor regarding this vulnerability. 
The highlights of the vendor's responses are: 

- "KNOX 1.0 is different than KNOX 2.3 in many significant ways". 
- This vulnerability was "directly identified and addressed during past 
internal security reviews" 
- "Devices that are KNOX capable can be updated via the Maintenance Release 
process. KNOX 1.0 containers will automatically upgrade to the newer KNOX 2.x 
technology when the update is applied" 
- "upgrading to Android 4.4 on a KNOX-enabled device implies upgrading to KNOX 
2.x. No additional steps should be necessary from the users perspective"

Vulnerability Discovery Method
==============================
We utilized dynamic analysis of KNOX 1.0.0 to find this vulnerability. 

The dynamic analysis was performed using the Xposed framework by inserting 
hooks in the code flow requesting Android system services. 
We came to the conclusion that KNOX shares the system_server with the normal 
Android environment and attempted to "manipulate" a service externally to 
impact KNOX internally. We assumed that the certificate verification in SSL 
must be performed using a system service and if we could convince that service 
to trust our own certificate it would translate to KNOX trusting it as well. 
To do this we used the Packet Capture application by Grey Shirts 
(https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en).
 
The application installs a custom certificate and creates a VPN connection 
allowing it to capture all traffic. 
Then we surfed to an https URL from within the KNOX browser, in our case the 
Yahoo login page. We entered a username and password and afterwards saw it in 
the captured packets in Packet Capture. 

To install the Xposed framework we had to root the devices. 
- The Galaxy S4 was rooted using a modified version of SafeRoot. We downloaded 
the source code of SafeRoot, removed any KNOX-disabling features from it, 
recompiled it and used the modified binary to install "SuperSU" on the device. 
Using SuperSU we installed Xposed. 
- The Galaxy S3 was rooted to begin with by flashing a custom recovery and 
kernel, tripping the warranty bit in the process, thus preventing us from 
running KNOX. Due to the device being already rooted we installed Xposed on it 
and used Xposed to "re-enable" KNOX. We did this by adding hooks to the TIMA 
service running in the system_server. We hooked keystoreInstallKey to always 
return 0 and keystoreRetrieveKey to always return [0] + [key], with [key] 
always being the same 32 bytes. This convinced KNOX that the device isn't 
rooted and made it fully functional allowing us to verify the vulnerability on 
it as well.

Timeline
========
2015-12-09 Vendor notified
2015-12-28 Vendor permitted vulnerability publication
2016-01-12 CVE number requested
2016-01-16 CVE number assigned
2016-01-16 Public disclosure