[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CORE-2016-0003] - Samsung SW Update Tool MiTM
- To: <fulldisclosure@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [CORE-2016-0003] - Samsung SW Update Tool MiTM
- From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
- Date: Wed, 9 Mar 2016 15:24:38 -0300
1. Advisory Information
Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release
2. Vulnerability Information
Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient
Verification of Data Authenticity [CWE-345]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2
3. Vulnerability Description
The Samsung SW Update Tool [1] is a tool that analyzes the system drivers of a
computer. You can install relevant software for your computer easier and faster
using SW Update. The SW Update program helps you install and update your
software and driver easily.
Samsung [2] SW Update Tool is prone to a Men in The Middle attack which could
result in integrity corruption of the transferred data, information leak and
consequently code execution.
4. Vulnerable Packages
Samsung SW Update Tool 2.2.5.16
Other products and versions might be affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Samsung published a fixed version of Samsung SW Update Tool on their website
[1].
6. Credits
This vulnerability was discovered, researched and coordinated by Joaquin
Rodriguez Varela from Core Security CoreLabs Team.
7. Technical Description / Proof of Concept Code
7.1. Clear text Transmission of Update Information
[CVE-pending-assignment-1] Depending on whether the tool runs on a Samsung
machine or not the program behavior will be different. On some Samsung machines
it detects automatically the model of hardware and therefore the hardware it
uses, on other models or non-Samsung machines it requires the user to specify
the model of machine they would like to download drivers for. Several requests
are performed once one of this conditions is met, and eventually an XML file is
required which will depend on the model detected/selected:
GET http://orcaservice.samsungmobile.com/dl/bom/MAX6356A04.XML HTTP/1.1
Host: orcaservice.samsungmobile.com
The name of the XML file is the model ID for which the drivers are being
requested. In the XML file that is received from the server, there's a tag
called 'FURL' that has the URL of the file that is going to be downloaded and
executed by the application.
<?xml version="1.0" encoding="utf-8"?>
<MaxList>
<Head>
<BOMID>MAX6356A04</BOMID>
<CISCode />
<Product />
<Project>Nxxx-15xx</Project>
<Model>Nike-15R_BBY</Model>
<DevStep>MP100</DevStep>
<BaseMRT>MRT63xxxx</BaseMRT>
<BaseBOM />
<Region>DNC</Region>
<OS>DONCR</OS>
<Language>DNC</Language>
<ROLString>ALL</ROLString>
<Date>2012-05-11 8:01:04</Date>
<Time>2012-05-11 8:01:04</Time>
<Test>Yes</Test>
</Head>
<Item>
<CISCode>BASW-83294A07</CISCode>
<ItemType>SOFTWARE</ItemType>
<DisplayName>Win8-Realtek LAN Driver[Gigabit]
8.4.907.2012-Dock_Dongle_isolate</DisplayName>
<Region>DNC</Region>
<OS>W8PR32/W8SL32/W8ST32/W8PR64/W8SL64/W8ST64</OS>
<Lang>DNC</Lang>
<ROLString>ALL</ROLString>
<InstallType>PSTEXE</InstallType>
<InstallPath>BASW-83294A\BASW-83294A07.ZIP</InstallPath>
<InstallFile>setup.exe</InstallFile>
<InstallPara1>-s -f2c:\Setup.log</InstallPara1>
<InstallPara2>/pbr</InstallPara2>
<InstallOrgFileSize>10554011</InstallOrgFileSize>
<InstallFileSize>5406352</InstallFileSize>
<ImageCate>C2P1</ImageCate>
<ImageType>GCP</ImageType>
<ImageSequence>21090</ImageSequence>
<MediaType>SM1</MediaType>
<MediaSubCate>ITMRQR</MediaSubCate>
<MediaSequence>70</MediaSequence>
<CheckType>DrvVer</CheckType>
<CheckRoot />
<VerifyAttribute>8.4.907.2012</VerifyAttribute>
<VerifyPara1 />
<VerifyPara2 />
<System />
<Selectable>Y</Selectable>
<AND />
<XOR />
<FURL>http://orcaservice.samsungmobile.com/FileDownloader.aspx?FILENAME=BASW-83294A07.ZIP</FURL>
<MultiLangDisplayName>
<Default>ENG</Default>
<Value>
<Lang>BRA</Lang>
<Str>Driver de LAN</Str>
</Value>
<Value>
<Lang>CZE</Lang>
<Str>OvladaÄ sÃtÄ› LAN</Str>
</Value>
<Value>
<Lang>DAN</Lang>
<Str>LAN-driver</Str>
</Value>
<Value>
<Lang>DUT</Lang>
<Str>LAN-stuurprogramma</Str>
</Value>
<Value>
<Lang>ENG</Lang>
<Str>LAN Driver</Str>
...
...
Once the application's search process comes to an end, it shows the user the
available drivers updates. After downloading the drivers, depending on the
functionality mode the software is working, the user can click on the 'Install'
button and the binaries are executed (Function 1), or, if running on the
"Function 2" mode, the location where the software was saved pops-up in order
for the user to execute the downloaded file.
7.1.1. Insufficient Verification of Update Authenticity
[CVE-pending-assignment-2] There is no verification at all performed by the
software itself over the downloaded files. There are some "control" parameters
inside the XML file:
...
...
<CheckType>RegVer</CheckType>
<CheckRoot>HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\infInst</CheckRoot>
<VerifyAttribute>10.1.1.9</VerifyAttribute>
<VerifyPara1>Version</VerifyPara1>
...
...
But those "control" parameters can be easily disabled by manipulating the XML
file:
...
...
<CheckType>NoVerify</CheckType>
<CheckRoot />
<VerifyAttribute />
<VerifyPara1 />
...
...
An attacker can easily modify the returning XML file in order to achieve code
execution on the victim's machine.
8. Report Timeline
2016-01-22: Core Security sent an initial notification to Samsung.
2016-01-25: Samsung replied requesting to hold the publication until they were
able to review the vulnerabilities. They sent their public PGP key attached.
2016-01-25: Core Security sent Samsung a draft copy of the advisory.
2016-01-26: Samsung replied they were looking into the issue and that they
would keep us updated with their progress.
2016-02-05: Samsung informed they were developing a patch and requested to
delay for two more weeks the advisory publication.
2016-02-05: Core Security informed Samsung we didn't mind delaying the release
of the disclosure, but we reminded them that is our policy to publish our
findings once the patch is released.
2016-02-22: Core Security asked Samsung if they had an estimated date for
releasing the patched version of the affected software.
2016-02-25: Samsung replied they had some issues during the final tests of the
patch and that they would have the final fix ready by the 3rd of March. They
informed they may had to request additional time in case their results came
back negative.
2016-03-02: Core Security asked Samsung if they were going to release the fixed
version the following day in order to publish the security advisory accordingly.
2016-03-03: Core Security asked Samsung again for a reply.
2016-02-25: Samsung replied the issues identified in Samsung SW Update Tool had
been resolved by new patches from early March. Additionally, they mentioned
that transitioning to the 'https' protocol on the server side would result in
existing users with older version of client-side application with 'http' left
unable to connect to the server anymore and consequently they requested 3
additional months to propagate the updated application by also allowing the
'http' protocol on the server side.
2016-03-03: Core Security asked Samsung to confirm if those patches had been
already released. If so, we informed them that is our policy to publish our
findings, usually in coordination with the affected vendor, once the fixed
version of the affected software becomes available. We consider user/customers
are safer once they become aware of the potential security issues a
device/software could have. We informed them we will be forced to publish our
security advisory on Monday 7 of March if the patches had been already released.
2016-03-07: Advisory CORE-2016-0003 published.
9. References
[1] http://orcaservice.samsungmobile.com/SWUpdate.aspx.
[2] http://www.samsung.com.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies. We
conduct our research in several important areas of computer security including
system vulnerabilities, cyber attack planning and simulation, source code
auditing, and cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for new
technologies. CoreLabs regularly publishes security advisories, technical
papers, project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify and
demonstrate real-world exposures to their most critical assets. Our customers
can gain real visibility into their security standing, real validation of their
security controls, and real metrics to more effectively secure their
organizations.
Core Security's software solutions build on over a decade of trusted research
and leading-edge threat expertise from the company's Security Consulting
Services, CoreLabs and Engineering groups. Core Security Technologies can be
reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.