[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CORE-2016-0003] - Samsung SW Update Tool MiTM

To: <fulldisclosure@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [FD] [CORE-2016-0003] - Samsung SW Update Tool MiTM
From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
Date: Wed, 9 Mar 2016 15:24:38 -0300
1. Advisory Information

Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient 
Verification of Data Authenticity [CWE-345]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

 

3. Vulnerability Description

The Samsung SW Update Tool [1] is a tool that analyzes the system drivers of a 
computer. You can install relevant software for your computer easier and faster 
using SW Update. The SW Update program helps you install and update your 
software and driver easily.

Samsung [2] SW Update Tool is prone to a Men in The Middle attack which could 
result in integrity corruption of the transferred data, information leak and 
consequently code execution.

4. Vulnerable Packages

Samsung SW Update Tool 2.2.5.16
Other products and versions might be affected too, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Samsung published a fixed version of Samsung SW Update Tool on their website 
[1].

6. Credits

This vulnerability was discovered, researched and coordinated by Joaquin 
Rodriguez Varela from Core Security CoreLabs Team.

 

7. Technical Description / Proof of Concept Code

7.1. Clear text Transmission of Update Information

[CVE-pending-assignment-1] Depending on whether the tool runs on a Samsung 
machine or not the program behavior will be different. On some Samsung machines 
it detects automatically the model of hardware and therefore the hardware it 
uses, on other models or non-Samsung machines it requires the user to specify 
the model of machine they would like to download drivers for. Several requests 
are performed once one of this conditions is met, and eventually an XML file is 
required which will depend on the model detected/selected:

 
GET http://orcaservice.samsungmobile.com/dl/bom/MAX6356A04.XML HTTP/1.1
Host: orcaservice.samsungmobile.com
       
The name of the XML file is the model ID for which the drivers are being 
requested. In the XML file that is received from the server, there's a tag 
called 'FURL' that has the URL of the file that is going to be downloaded and 
executed by the application.

 
<?xml version="1.0" encoding="utf-8"?>
<MaxList>
    <Head>
        <BOMID>MAX6356A04</BOMID>
        <CISCode />
        <Product />
        <Project>Nxxx-15xx</Project>
        <Model>Nike-15R_BBY</Model>
        <DevStep>MP100</DevStep>
        <BaseMRT>MRT63xxxx</BaseMRT>
        <BaseBOM />
        <Region>DNC</Region>
        <OS>DONCR</OS>
        <Language>DNC</Language>
        <ROLString>ALL</ROLString>
        <Date>2012-05-11 8:01:04</Date>
        <Time>2012-05-11 8:01:04</Time>
        <Test>Yes</Test>
    </Head>
    <Item>
        <CISCode>BASW-83294A07</CISCode>
        <ItemType>SOFTWARE</ItemType>
        <DisplayName>Win8-Realtek LAN Driver[Gigabit] 
8.4.907.2012-Dock_Dongle_isolate</DisplayName>
        <Region>DNC</Region>
        <OS>W8PR32/W8SL32/W8ST32/W8PR64/W8SL64/W8ST64</OS>
        <Lang>DNC</Lang>
        <ROLString>ALL</ROLString>
        <InstallType>PSTEXE</InstallType>
        <InstallPath>BASW-83294A\BASW-83294A07.ZIP</InstallPath>
        <InstallFile>setup.exe</InstallFile>
        <InstallPara1>-s -f2c:\Setup.log</InstallPara1>
        <InstallPara2>/pbr</InstallPara2>
        <InstallOrgFileSize>10554011</InstallOrgFileSize>
        <InstallFileSize>5406352</InstallFileSize>
        <ImageCate>C2P1</ImageCate>
        <ImageType>GCP</ImageType>
        <ImageSequence>21090</ImageSequence>
        <MediaType>SM1</MediaType>
        <MediaSubCate>ITMRQR</MediaSubCate>
        <MediaSequence>70</MediaSequence>
        <CheckType>DrvVer</CheckType>
        <CheckRoot />
        <VerifyAttribute>8.4.907.2012</VerifyAttribute>
        <VerifyPara1 />
        <VerifyPara2 />
        <System />
        <Selectable>Y</Selectable>
        <AND />
        <XOR />
        
<FURL>http://orcaservice.samsungmobile.com/FileDownloader.aspx?FILENAME=BASW-83294A07.ZIP</FURL>
        <MultiLangDisplayName>
            <Default>ENG</Default>
            <Value>
                <Lang>BRA</Lang>
                <Str>Driver de LAN</Str>
            </Value>
            <Value>
                <Lang>CZE</Lang>
                <Str>OvladaÄ sÃtÄ› LAN</Str>
            </Value>
            <Value>
                <Lang>DAN</Lang>
                <Str>LAN-driver</Str>
            </Value>
            <Value>
                <Lang>DUT</Lang>
                <Str>LAN-stuurprogramma</Str>
            </Value>
            <Value>
                <Lang>ENG</Lang>
                <Str>LAN Driver</Str>
        ...
        ...
       
Once the application's search process comes to an end, it shows the user the 
available drivers updates. After downloading the drivers, depending on the 
functionality mode the software is working, the user can click on the 'Install' 
button and the binaries are executed (Function 1), or, if running on the 
"Function 2" mode, the location where the software was saved pops-up in order 
for the user to execute the downloaded file.

7.1.1. Insufficient Verification of Update Authenticity

[CVE-pending-assignment-2] There is no verification at all performed by the 
software itself over the downloaded files. There are some "control" parameters 
inside the XML file:

 
        ...
        ...
        <CheckType>RegVer</CheckType>
        <CheckRoot>HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\infInst</CheckRoot>
        <VerifyAttribute>10.1.1.9</VerifyAttribute>
        <VerifyPara1>Version</VerifyPara1>
        ...
        ...
       
But those "control" parameters can be easily disabled by manipulating the XML 
file:

 
        ...
        ...
        <CheckType>NoVerify</CheckType>
        <CheckRoot />
        <VerifyAttribute />
        <VerifyPara1 />
        ...
        ...
       
An attacker can easily modify the returning XML file in order to achieve code 
execution on the victim's machine.

 

8. Report Timeline

2016-01-22: Core Security sent an initial notification to Samsung.
2016-01-25: Samsung replied requesting to hold the publication until they were 
able to review the vulnerabilities. They sent their public PGP key attached.
2016-01-25: Core Security sent Samsung a draft copy of the advisory.
2016-01-26: Samsung replied they were looking into the issue and that they 
would keep us updated with their progress.
2016-02-05: Samsung informed they were developing a patch and requested to 
delay for two more weeks the advisory publication.
2016-02-05: Core Security informed Samsung we didn't mind delaying the release 
of the disclosure, but we reminded them that is our policy to publish our 
findings once the patch is released.
2016-02-22: Core Security asked Samsung if they had an estimated date for 
releasing the patched version of the affected software.
2016-02-25: Samsung replied they had some issues during the final tests of the 
patch and that they would have the final fix ready by the 3rd of March. They 
informed they may had to request additional time in case their results came 
back negative.
2016-03-02: Core Security asked Samsung if they were going to release the fixed 
version the following day in order to publish the security advisory accordingly.
2016-03-03: Core Security asked Samsung again for a reply.
2016-02-25: Samsung replied the issues identified in Samsung SW Update Tool had 
been resolved by new patches from early March. Additionally, they mentioned 
that transitioning to the 'https' protocol on the server side would result in 
existing users with older version of client-side application with 'http' left 
unable to connect to the server anymore and consequently they requested 3 
additional months to propagate the updated application by also allowing the 
'http' protocol on the server side.
2016-03-03: Core Security asked Samsung to confirm if those patches had been 
already released. If so, we informed them that is our policy to publish our 
findings, usually in coordination with the affected vendor, once the fixed 
version of the affected software becomes available. We consider user/customers 
are safer once they become aware of the potential security issues a 
device/software could have. We informed them we will be forced to publish our 
security advisory on Monday 7 of March if the patches had been already released.
2016-03-07: Advisory CORE-2016-0003 published.
9. References

[1] http://orcaservice.samsungmobile.com/SWUpdate.aspx. 
[2] http://www.samsung.com.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating 
the future needs and requirements for information security technologies. We 
conduct our research in several important areas of computer security including 
system vulnerabilities, cyber attack planning and simulation, source code 
auditing, and cryptography. Our results include problem formalization, 
identification of vulnerabilities, novel solutions and prototypes for new 
technologies. CoreLabs regularly publishes security advisories, technical 
papers, project information and shared software tools for public use at: 
http://corelabs.coresecurity.com.

11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with 
security test and measurement solutions that continuously identify and 
demonstrate real-world exposures to their most critical assets. Our customers 
can gain real visibility into their security standing, real validation of their 
security controls, and real metrics to more effectively secure their 
organizations.

Core Security's software solutions build on over a decade of trusted research 
and leading-edge threat expertise from the company's Security Consulting 
Services, CoreLabs and Engineering groups. Core Security Technologies can be 
reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial 
Share-Alike 3.0 (United States) License: 
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories 
team, which is available for download at 
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Prev by Date: Re: [FD] Windows Mail Find People DLL side loading vulnerability
Next by Date: [FD] [CORE-2016-0004] - SAP Download Manager Password Weak Encryption
Previous by thread: [FD] LSE Leading Security Experts GmbH - LSE-2016-01-01 - Wordpress ProjectTheme - Multiple Vulnerabilities
Next by thread: [FD] [CORE-2016-0004] - SAP Download Manager Password Weak Encryption
Index(es):
- Date
- Thread