Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Researchers Leverage RKP Module to Bypass Samsung KNOX

Security researchers from Viral Security Group Ltd. have managed to bypass the Samsung KNOX security features by exploiting vulnerabilities that render unpatched devices susceptible to compromise.

Security researchers from Viral Security Group Ltd. have managed to bypass the Samsung KNOX security features by exploiting vulnerabilities that render unpatched devices susceptible to compromise.

To successfully bypass Samsung’s security, the researchers focused on a module called TIMA RKP (Real-time Kernel Protection), which is responsible for defending against kernel exploits. A standard root exploit can subvert the kernel and code can be executed in the system user context, researchers say.

According to a paper detailing the experiment, a malicious actor with access to the system account could replace legitimate apps with rogue software that has access to all available permissions, all without the user noticing. Furthermore, the RKP module can be abused to achieve root privileges, and the security researchers even managed to load a kernel module to remount the /system partition as writable.

To subvert the RKP module, the researchers abused the CVE-2015-1805 write-what-where kernel vulnerability, using the open-source exploit implementation dubbed iovyroot. A generic Linux exploit, iovyroot has been devised to leverage said flaw on recent Samsung devices, including Galaxy S6 and Galaxy Note 5, researchers say.

The RKP module, researchers say, has two layers, one interwoven with the Linux kernel, and another residing in the ARM TrustZone as a hypervisor. The RKP was meant to mask and protect certain areas of kernel memory, as it can perform its own checks and validations, hidden and independent of the kernel.

The issue with the RKP was found to be a special function rkp_override_creds, which replaces the regular kernel function override_creds, and which can be used to temporarily override the current process credentials. By leveraging this bug, researchers tried to achieve root by having the RKP override the credentials with root values, but failed, because “the hypervisor side does not take nicely attempts to override process credentials with root values.” However, it does accept system values, researchers say.

While still attempting to achieve root, the researchers discovered a file called vmm.elf, which turned out to be the RKP module itself, and were able to find in it the function that would allow them to achieve root. However, they discovered that the available permissions were limited, and that running a kernel module would provide privilege escalation, an achievable operation, especially since Samsung’s Galaxy S6 allows for the insertion of kernel modules.

The modules, however, need to be signed, and the verification is performed by Mobicore micro-kernel residing in ARM’s TrustZone. Nonetheless, because the verification was triggered only when the lkmauth_bootmode variable was set to BOOTMODE_RECOVERY, the security researchers used a kernel writing vulnerability to overwrite the value and disable the signature verification.

Advertisement. Scroll to continue reading.

“At this point, we could easily load any kernel module we desired,” the researchers note. The 3 vulnerabilities that allowed for the successful exploitation of Samsung KNOX were named KNOXout. Tracked as CVE-2016-6584, the flaws are privilege escalation issues and have been already disclosed to the vendor.

Some of the remediation solutions proposed by the security researchers include treating system permissions similar to root; performing a PID check later in the permission-granting process, because RKP grants processes with PID 0 root privileges (and the researchers leveraged that); and placing the lkmauth_bootmode variable and the security_ops structure in an RKP-protected, read-only page.

Related: Critical Vulnerability Plagues 60% of Android Devices

Related: Critical Vulnerability Breaks Android Full Disk Encryption

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.