A new vulnerability in Exynos 4-powered devices, which include the Samsung’s Galaxy S2 and Galaxy S3 devices, was discovered by a XDA forum developer while recently rooting his Android phone.
The flaw affects to both Android tablets and handheld devices running different versions of Android including 2.x, 4.0, and 4.1.
The worry is that while these are local vulnerabilities, the ability to target them remotely is available given that the full source code for the exploits has been released. Most of the devices are consumer based, but that doesn’t mean that corporate employees are not using them at the office for work. Admittedly the threat and risk is a stretch, but the fact that the vulnerability sits Kernel side and shipped with the units makes it a viable attack surface.
“The flaw is a ‘Privilege Escalation’ vulnerability that exists in the drivers used by the camera and multimedia devices,” Ohad Bobrov, CTO and co-founder of Lacoon Security told SecurityWeek via email. “By exploiting this vulnerability, the attacker can bypass the Android’s permission model and ultimately access various files and sensitive information on the device.”
According to the developer notes, the issue has been confirmed “on any Exynos4-based device” including the Samsung Galaxy S2 (GT-I9100) and Galaxy S3 (GT-I9300 & LTE GT-I9305), the Galaxy Note (GT-N7000), Galaxy Note 2 (GT-N7100), Verizon’s Galaxy Note 2 (SCH-I605) with locked bootloaders, the Galaxy Note 10.1 GT-N8000, and the Galaxy Note 10.1 GT-N8010.
“The good news is we can easily obtain root on these devices and the bad is there is no control over it,” the developer who discovered the flaw explained.
Unfortunately, he added, the downside also means that attackers can download data from the system’s RAM, “kernel code injection and [other types of code injection] could be possible via app installation from Play Store.”
“It certainly exists many ways to do that but Samsung give an easy way to exploit. This security hole is dangerous and expose phone to malicious apps. Exploitation with native C and JNI could be easily feasible.”
Another developer chimed in on the security risks and noted that any application “can use [the vulnerability] to gain root without asking and without any permissions on a vulnerable device…” adding that a fix was needed ASAP.
SecurityWeek has reached out to Samsung for comments and reactions. We’ll update this story as soon as we hear from them. In the meantime, there is a stop-gap fix available from another developer, the details of which are here.