[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2016-3996]KNOX clipboard data disclosure KNOX 1.0 - KNOX 2.3 / Android
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2016-3996]KNOX clipboard data disclosure KNOX 1.0 - KNOX 2.3 / Android
- From: urikanonov@xxxxxxxxx
- Date: Sat, 16 Apr 2016 16:42:55 GMT
Subject: [CVE-2016-3996]KNOX clipboard data disclosure KNOX 1.0 - KNOX 2.3 /
Android
Vulnerability Description
=========================
The vulnerability allows disclosure of Clipboard data of Samsung KNOX 1.0 and
2.3 containers.
On KNOX-enabled devices there exists a proprietary service called clipboardEx
which provides access to both the KNOX clipboard and the Android clipboard.
The implementation is divided into two:
1. Client: Each app that wants to use the clipboard uses the client class
android.sec.clipboard.ClipboardExManager to connect to the service
2. Server: This service runs in the system_server and is implemented by
com.android.server.sec.InternalClipboardExService
The following description is for KNOX 1.0.0, whereas the design in KNOX 2.3.0
is very similar and the differences will be noted at the end of this section.
- Server
The InternalClipboardExService has two important members:
* int mContainerID: The current container (mode) to which the clipboard
is set. Zero is outside world and and anything except zero is KNOX. This member
is initialized to zero.
* ClipboardDataMgr mDataList: A class managing the clipboard data.
Located in framework2.
Each API call that involves retrieving clipboard data uses the mDataList as the
clipboard.
An important method of the service is UpdateClipboardDB. Calling the method
updates the mContainerID member and calls
mDataList.UpdateClipboardDB(mContainerID), updating the clipboard to the new
mode.
The problem is that UpdateClipboardDB doesn't check who's the caller, i.e.
Anyone that knows about the service can bind to it and call this method.
The ClipboardDataMgr internally uses a
android.sec.clipboard.data.file.FileManager to access clipboard data.
The clipboard data is persistent and is stored under /data/clipboard (Android)
and /data/clipboard/knox (for KNOX).
All files/dirs are owned by system. Dirs are world-listable but all files
underneath are only system-accessible.
Both the Android and KNOX clipboard data is stored unencrypted.
- Client
The client-side ClipboardExManager Provides the API to query the clipboardEx
service.
The code for ClipboardExManager doesn't come with the SDK but is located in
framework2.jar/odex under /system/framework.
In the beginning of each method the ClipboardExManager obtains an instance of
android.sec.clipboard.IClipboardService and uses it to perform the API call.
IClipboardService is the AIDL-generated binder wrapper for the clipboardEx API
For example, getting the clipboard size: a call to
ClipboardExManager.getDataListSize() would result in a call to
IClipboardService.getDataSize().
However, before each call to the IClipboardService method, ClipboardExManager
calls checkCurrentMode() which among other things calls
IClipboardService.UpdateClipboardDB(0), setting the mContainerId of the server
to 0, thus not allowing access to KNOX clipboard.
It is noteworthy that ClipboardExManager doesn't provide a public API to
UpdateClipboardDB.
- The Attack
In order for an attacker to get access to the KNOX clipboard all that is needed
is for the service to have mContainerID != 0.
The following defences are in an attacker's way:
1. The ClipboardExManager is not in the SDK so its harder to use
2. The IClipboardService.UpdateClipboardDB isn't exported from
ClipboardExManager
3. Each API call via ClipboardExManager performs checkCurrentMode() to reset
the service to the appropriate container ID
These protections can be easily bypassed:
1. Extracting framework2.jar/odex from a device/ROM, studying it and using it
2. Calling via reflection the private static method
ClipboardExManager.getService to get an IClipboardService instance
3. Using the APIs in IClipboardService directly instead of the wrapper methods
in ClipboardExManager to avoid the calls to checkCurrentMode()
Following is code exploiting the vulnerability:
[---- Code Start ----]
Class<ClipboardExManager> clipExMngClass = ClipboardExManager.class;
Method getService = clipExMngClass.getDeclaredMethod("getService");
getService.setAccessible(true);
IClipboardService clipService = (IClipboardService)getService.invoke(null);
clipboardService.UpdateClipboardDB(1); // Set knox mode
int size = clipService.getDataSize();
System.out.println("size = " + size);
ClipboardData data = clipService.GetClipboardData(1);
System.out.println("data = " + data);
ArrayList<String> clipedStrings = clipService.getClipedStrings(0, 100);
System.out.println("clipedStrings.size() = " + clipedStrings.size());
System.out.println("clipedStrings = " + clipedStrings);
[---- Code End ----]
On KNOX 2.3.0 the ``simple'' attack doesn't work due to security measures added
to the clipboardEx service.
However, the attack does work when launched from a newly created activity while
KNOX is running in the background.
During activity launch, for a short time, due to a race condition, the
clipboardEx enters a vulnerable state during which a user application can
obtain the contents of the KNOX clipboard.
After this short period (approx. 10 seconds) the service refuses to disclose
the KNOX keyboard contents as it manages to identify that it is being queried
outside KNOX.
The scenario in which the attack works:
1. Two malicious applications are installed, A and B.
2. Application A runs in the user environment in the background (e.g., using a
service).
3. KNOX is unlocked and brought to the foreground.
4. Application A launches an activity in application B.
5. Application B's activity obtains the KNOX clipboard in its onCreate method
and calls finish() to close the GUI.
Affected System Configurations
==============================
We have tested and verified the vulnerability on the following devices,
however, we believe that ALL Samsung devices running KNOX 1.0.0 are vulnerable :
1. Samsung Galaxy S3
- Model Number: GT-I9305
- Android Version: 4.3
- Kernel Version: 3.0.31-2051278 dpi@DELL323 #1
- Build Number: JSS15J.I9305XXUEML8
- KNOX Version: 1.0.0
- State: Rooted, via flashing a custom recovery and kernel. KNOX warranty bit
tripped, technically disabling KNOX. KNOX was re-enabled (fully functional)
using root capabilities
2. Samsung Galaxy S4
- Model Number: GT-I9505
- Android Version: 4.3
- Kernel Version: 3.4.0-1869009 se.infra@SEP-106 #1
- Build Number: XXUEMJ5.CCOM
- KNOX Version: 1.0.0
- State: Rooted using SafeRoot. KNOX warranty bit not tripped, KNOX fully
functional
The KNOX 2.3 vulnerability was tested and verified on the following device,
however, we believe that ALL Samsung devices running KNOX 2.3 are vulnerable:
1. Samsung Note 3
- Model Number: SM-N9005
- Android Version: 5.0
- Kernel Version: 3.4.0-4540543 dpi@SWDD3013 #1
- Build Number LRX21V.N90055XXUGBOJ6
- KNOX:
- Version: 2.3
- Standard SDK: 5.3.0
- Premium SDK: 2.3.0
- Customization SDK: 2.0.0
- Container: 2.3.0
- CEP: 2.0.1
- Enterprise Billing: 1.0.0
- SE for Android: 2.3.0
- SSO: 2.1.1
- TIMA: 3.0
- VPN: 2.2.0
- State: Not rooted
Vulnerability Impact
====================
Prerequisites:
- Code execution capabilities without any permissions (normal application)
Attack:
- KNOX 1.0: Run the exploit code from any application regardless of whether
KNOX is in the foreground, background or even unlocked.
- KNOX 2.3: Run attacker's code in the backround while KNOX is running in the
foreground and launch an activity. Run the exploit code from the new activity.
Implications:
1. Any application without any permissions can obtain the contents of the KNOX
clipboard.
2. A root/system user can simply read the persistent clipboard data from
/data/clipboard/knox without having to know the user's password (due to lack of
encryption).
Mitigation:
- Users of KNOX 1.x should update to the latest version of KNOX 2.x.
- Samsung are already distributing an update for KNOX 2.x patching this
vulnerability.
Vendor Contact
==============
We contacted Samsung on December 9th, 2015 and have had detailed email
exchanges with the vendor regarding this vulnerability.
The highlights of the vendor's responses are:
- "Devices that are KNOX capable can be updated via the Maintenance Release
process. KNOX 1.0 containers will automatically upgrade to the newer KNOX 2.x
technology when the update is applied"
- "Updating a KNOX 1.0 device to support KNOX 2.x would involve upgrading its
Android version to at least Android 4.4"
- "Following your instructions, we were able to reproduce and isolate the race
condition responsible for the vulnerability you identified. We are working on a
patch that eliminates the possibility of such race conditions allowing access
to clipboard data, and will be deploying it to affected models as a security
update"
- "We started rolling out the remedy to the users since March of this year, and
we are continuing to expand the release to more carriers."
Vulnerability Discovery Method
==============================
We combined both static and dynamic analysis of KNOX 1.0.0 and KNOX 2.3 to find
this vulnerability.
The static analysis consisted of reverse-engineering KNOX 1.0.0 / 2.3 binaries
taken from the aforementioned devices (due to KNOX being closed source).
We extracted the .odex / .jar / .apk files of services and framework2 (the code
of the system_server) and performed the following:
- De-odexed them using the Universal Deodexer to obtain .dex files.
- Converted the .dex files to .jar files (containing .class files) using
dex2jar.
- Disassembled the .jar files using jd-gui.
- Analyzed the code of clipboardEx and client classes in framework2.
Dynamic analysis was performed via a proof-of-concept based on our
understanding of the clipboardEx client and server code. To compile the code we
used the framework2.jar we obtained (by using dex2jar).
Timeline
========
2015-12-09 Vendor notified
2015-12-24 Vendor requested to hold off publication to give it time to prepare
a patch
2016-04-10 CVE number requested
2016-04-11 CVE number assigned
2016-04-11 Notification from vendor that patches are been distributed since
march. Green light for publication.
2016-04-16 Public disclosure