[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2016-1920] VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2016-1920] VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3
- From: urikanonov@xxxxxxxxx
- Date: Sat, 16 Jan 2016 13:39:56 GMT
Subject: [CVE-2016-1920] VPN Man-in-the-Middle due to shared certificate store
on KNOX 1.0 / Android 4.3
Vulnerability Description
=========================
The vulnerability allows disclosure of Data-in-Motion of Samsung KNOX 1.0
containers.
In KNOX 1.0.0 the applications inside the container use the same certificate
store as the outside Android environment.
Android supports installing 3rd party certificates (following user
authorization). Another useful feature in Android is the ability to create a
VPN connection through which all traffic will be routed.
Combining the above facts leads to a vulnerability allowing an attacker to
perform a MITM attack on VPN traffic originating from within the KNOX container
The attack sequence is as follows (all can be done without the user's knowledge
for example when asking to make a phone call from his device):
1. Install the malicious application requiring VPN-related permissions
2. Install a 3rd party certificate
3. Run the malicious application which starts a VPN connection. This will cause
a notification to appear with the icon of the malicious application and name of
the VPN connection.
The ``red flag'' in form of the notification can be easily mitigated by the
attacker.
By using the KNOX icon and a benign name for the VPN connection such as ``KNOX
Connectivity'' a non-tech-savvy will surely be persuaded that the notification
is a legitimate part of KNOX and continue using the device normally.
Affected System Configurations
==============================
We have tested and verified the vulnerability on the following devices,
however, we believe that ALL Samsung devices running KNOX 1.0.0 are vulnerable
1. Samsung Galaxy S3
- Model Number: GT-I9305
- Android Version: 4.3
- Kernel Version: 3.0.31-2051278 dpi@DELL323 #1
- Build Number: JSS15J.I9305XXUEML8
- KNOX Version: 1.0.0
- State: Rooted, via flashing a custom recovery and kernel. KNOX warranty bit
tripped, technically disabling KNOX. KNOX was re-enabled (fully functional)
using root capabilities
2. Samsung Galaxy S4
- Model Number: GT-I9505
- Android Version: 4.3
- Kernel Version: 3.4.0-1869009 se.infra@SEP-106 #1
- Build Number: XXUEMJ5.CCOM
- KNOX Version: 1.0.0
- State: Rooted using SafeRoot. KNOX warranty bit not tripped, KNOX fully
functional
Vulnerability Impact
====================
Prerequisite:
- One-time access to an unlocked device allowing an attacker to install an
application of his choosing
Impact:
- For as long as the VPN connection is active, all device traffic outside and
inside KNOX will be routed through the VPN connection,
allowing the malicious application to serve fake SSL/TLS certificates signed
with its perviously installed 3rd-party certificate.
Due to the shared certificate store, any application relying on a
chain-of-trust verification will believe the certificate to be authentic and
continue operating as normal, allowing the user to disclose his secret data to
the attacker.
- This attack will not persist after reboot as there is a need to manually
start the VPN connection.
- The attack doesn't involve any exploits and does not require knowing the
user's KNOX password.
Mitigation:
- This attack was mitigated in KNOX 2.3.0 by introducing a separate certificate
store for the KNOX environment.
- The vulnerable code is in the system_server's code (services.odex) which can
only be replaced by a full system update, potentially upgrading KNOX to 2.x.
Vendor Contact
==============
We contacted Samsung on December 9th, 2015 and have had detailed email
exchanges with the vendor regarding this vulnerability.
The highlights of the vendor's responses are:
- "KNOX 1.0 is different than KNOX 2.3 in many significant ways".
- This vulnerability was "directly identified and addressed during past
internal security reviews"
- "Devices that are KNOX capable can be updated via the Maintenance Release
process. KNOX 1.0 containers will automatically upgrade to the newer KNOX 2.x
technology when the update is applied"
- "upgrading to Android 4.4 on a KNOX-enabled device implies upgrading to KNOX
2.x. No additional steps should be necessary from the users perspective"
Vulnerability Discovery Method
==============================
We utilized dynamic analysis of KNOX 1.0.0 to find this vulnerability.
The dynamic analysis was performed using the Xposed framework by inserting
hooks in the code flow requesting Android system services.
We came to the conclusion that KNOX shares the system_server with the normal
Android environment and attempted to "manipulate" a service externally to
impact KNOX internally. We assumed that the certificate verification in SSL
must be performed using a system service and if we could convince that service
to trust our own certificate it would translate to KNOX trusting it as well.
To do this we used the Packet Capture application by Grey Shirts
(https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en).
The application installs a custom certificate and creates a VPN connection
allowing it to capture all traffic.
Then we surfed to an https URL from within the KNOX browser, in our case the
Yahoo login page. We entered a username and password and afterwards saw it in
the captured packets in Packet Capture.
To install the Xposed framework we had to root the devices.
- The Galaxy S4 was rooted using a modified version of SafeRoot. We downloaded
the source code of SafeRoot, removed any KNOX-disabling features from it,
recompiled it and used the modified binary to install "SuperSU" on the device.
Using SuperSU we installed Xposed.
- The Galaxy S3 was rooted to begin with by flashing a custom recovery and
kernel, tripping the warranty bit in the process, thus preventing us from
running KNOX. Due to the device being already rooted we installed Xposed on it
and used Xposed to "re-enable" KNOX. We did this by adding hooks to the TIMA
service running in the system_server. We hooked keystoreInstallKey to always
return 0 and keystoreRetrieveKey to always return [0] + [key], with [key]
always being the same 32 bytes. This convinced KNOX that the device isn't
rooted and made it fully functional allowing us to verify the vulnerability on
it as well.
Timeline
========
2015-12-09 Vendor notified
2015-12-28 Vendor permitted vulnerability publication
2016-01-12 CVE number requested
2016-01-16 CVE number assigned
2016-01-16 Public disclosure