Security researchers from Viral Security Group Ltd. have managed to bypass the Samsung KNOX security features by exploiting vulnerabilities that render unpatched devices susceptible to compromise.
To successfully bypass Samsung’s security, the researchers focused on a module called TIMA RKP (Real-time Kernel Protection), which is responsible for defending against kernel exploits. A standard root exploit can subvert the kernel and code can be executed in the system user context, researchers say.
According to a paper detailing the experiment, a malicious actor with access to the system account could replace legitimate apps with rogue software that has access to all available permissions, all without the user noticing. Furthermore, the RKP module can be abused to achieve root privileges, and the security researchers even managed to load a kernel module to remount the /system partition as writable.
To subvert the RKP module, the researchers abused the CVE-2015-1805 write-what-where kernel vulnerability, using the open-source exploit implementation dubbed iovyroot. A generic Linux exploit, iovyroot has been devised to leverage said flaw on recent Samsung devices, including Galaxy S6 and Galaxy Note 5, researchers say.
The RKP module, researchers say, has two layers, one interwoven with the Linux kernel, and another residing in the ARM TrustZone as a hypervisor. The RKP was meant to mask and protect certain areas of kernel memory, as it can perform its own checks and validations, hidden and independent of the kernel.
The issue with the RKP was found to be a special function rkp_override_creds, which replaces the regular kernel function override_creds, and which can be used to temporarily override the current process credentials. By leveraging this bug, researchers tried to achieve root by having the RKP override the credentials with root values, but failed, because “the hypervisor side does not take nicely attempts to override process credentials with root values.” However, it does accept system values, researchers say.
While still attempting to achieve root, the researchers discovered a file called vmm.elf, which turned out to be the RKP module itself, and were able to find in it the function that would allow them to achieve root. However, they discovered that the available permissions were limited, and that running a kernel module would provide privilege escalation, an achievable operation, especially since Samsung’s Galaxy S6 allows for the insertion of kernel modules.
The modules, however, need to be signed, and the verification is performed by Mobicore micro-kernel residing in ARM’s TrustZone. Nonetheless, because the verification was triggered only when the lkmauth_bootmode variable was set to BOOTMODE_RECOVERY, the security researchers used a kernel writing vulnerability to overwrite the value and disable the signature verification.
“At this point, we could easily load any kernel module we desired,” the researchers note. The 3 vulnerabilities that allowed for the successful exploitation of Samsung KNOX were named KNOXout. Tracked as CVE-2016-6584, the flaws are privilege escalation issues and have been already disclosed to the vendor.
Some of the remediation solutions proposed by the security researchers include treating system permissions similar to root; performing a PID check later in the permission-granting process, because RKP grants processes with PID 0 root privileges (and the researchers leveraged that); and placing the lkmauth_bootmode variable and the security_ops structure in an RKP-protected, read-only page.