1. Advisory Information

Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity [CWE-345]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

 

3. Vulnerability Description

The Samsung SW Update Tool [1] is a tool that analyzes the system drivers of a computer. You can install relevant software for your computer easier and faster using SW Update. The SW Update program helps you install and update your software and driver easily.

Samsung [2] SW Update Tool is prone to a Men in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution.

4. Vulnerable Packages

Samsung SW Update Tool 2.2.5.16
Other products and versions might be affected too, but they were not tested.

5. Vendor Information, Solutions and Workarounds

Samsung published a fixed version of Samsung SW Update Tool on their website [1].

6. Credits

This vulnerability was discovered, researched and coordinated by Joaquin Rodriguez Varela from Core Security CoreLabs Team.

 

7. Technical Description / Proof of Concept Code

7.1. Clear text Transmission of Update Information

[CVE-pending-assignment-1] Depending on whether the tool runs on a Samsung machine or not the program behavior will be different. On some Samsung machines it detects automatically the model of hardware and therefore the hardware it uses, on other models or non-Samsung machines it requires the user to specify the model of machine they would like to download drivers for. Several requests are performed once one of this conditions is met, and eventually an XML file is required which will depend on the model detected/selected:

 
GET http://orcaservice.samsungmobile.com/dl/bom/MAX6356A04.XML HTTP/1.1
Host: orcaservice.samsungmobile.com
       
The name of the XML file is the model ID for which the drivers are being requested. In the XML file that is received from the server, there's a tag called 'FURL' that has the URL of the file that is going to be downloaded and executed by the application.

 
<?xml version="1.0" encoding="utf-8"?>
<MaxList>
    <Head>
        <BOMID>MAX6356A04</BOMID>
        <CISCode />
        <Product />
        <Project>Nxxx-15xx</Project>
        <Model>Nike-15R_BBY</Model>
        <DevStep>MP100</DevStep>
        <BaseMRT>MRT63xxxx</BaseMRT>
        <BaseBOM />
        <Region>DNC</Region>
        <OS>DONCR</OS>
        <Language>DNC</Language>
        <ROLString>ALL</ROLString>
        <Date>2012-05-11 8:01:04</Date>
        <Time>2012-05-11 8:01:04</Time>
        <Test>Yes</Test>
    </Head>
    <Item>
        <CISCode>BASW-83294A07</CISCode>
        <ItemType>SOFTWARE</ItemType>
        <DisplayName>Win8-Realtek LAN Driver[Gigabit] 8.4.907.2012-Dock_Dongle_isolate</DisplayName>
        <Region>DNC</Region>
        <OS>W8PR32/W8SL32/W8ST32/W8PR64/W8SL64/W8ST64</OS>
        <Lang>DNC</Lang>
        <ROLString>ALL</ROLString>
        <InstallType>PSTEXE</InstallType>
        <InstallPath>BASW-83294A\BASW-83294A07.ZIP</InstallPath>
        <InstallFile>setup.exe</InstallFile>
        <InstallPara1>-s -f2c:\Setup.log</InstallPara1>
        <InstallPara2>/pbr</InstallPara2>
        <InstallOrgFileSize>10554011</InstallOrgFileSize>
        <InstallFileSize>5406352</InstallFileSize>
        <ImageCate>C2P1</ImageCate>
        <ImageType>GCP</ImageType>
        <ImageSequence>21090</ImageSequence>
        <MediaType>SM1</MediaType>
        <MediaSubCate>ITMRQR</MediaSubCate>
        <MediaSequence>70</MediaSequence>
        <CheckType>DrvVer</CheckType>
        <CheckRoot />
        <VerifyAttribute>8.4.907.2012</VerifyAttribute>
        <VerifyPara1 />
        <VerifyPara2 />
        <System />
        <Selectable>Y</Selectable>
        <AND />
        <XOR />
        <FURL>http://orcaservice.samsungmobile.com/FileDownloader.aspx?FILENAME=BASW-83294A07.ZIP</FURL>
        <MultiLangDisplayName>
            <Default>ENG</Default>
            <Value>
                <Lang>BRA</Lang>
                <Str>Driver de LAN</Str>
            </Value>
            <Value>
                <Lang>CZE</Lang>
                <Str>Ovladač sítě LAN</Str>
            </Value>
            <Value>
                <Lang>DAN</Lang>
                <Str>LAN-driver</Str>
            </Value>
            <Value>
                <Lang>DUT</Lang>
                <Str>LAN-stuurprogramma</Str>
            </Value>
            <Value>
                <Lang>ENG</Lang>
                <Str>LAN Driver</Str>
        ...
        ...
       
Once the application's search process comes to an end, it shows the user the available drivers updates. After downloading the drivers, depending on the functionality mode the software is working, the user can click on the 'Install' button and the binaries are executed (Function 1), or, if running on the "Function 2" mode, the location where the software was saved pops-up in order for the user to execute the downloaded file.

7.1.1. Insufficient Verification of Update Authenticity

[CVE-pending-assignment-2] There is no verification at all performed by the software itself over the downloaded files. There are some "control" parameters inside the XML file:

 
        ...
        ...
        <CheckType>RegVer</CheckType>
        <CheckRoot>HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\infInst</CheckRoot>
        <VerifyAttribute>10.1.1.9</VerifyAttribute>
        <VerifyPara1>Version</VerifyPara1>
        ...
        ...
       
But those "control" parameters can be easily disabled by manipulating the XML file:

 
        ...
        ...
        <CheckType>NoVerify</CheckType>
        <CheckRoot />
        <VerifyAttribute />
        <VerifyPara1 />
        ...
        ...
       
An attacker can easily modify the returning XML file in order to achieve code execution on the victim's machine.

 

8. Report Timeline

2016-01-22: Core Security sent an initial notification to Samsung.
2016-01-25: Samsung replied requesting to hold the publication until they were able to review the vulnerabilities. They sent their public PGP key attached.
2016-01-25: Core Security sent Samsung a draft copy of the advisory.
2016-01-26: Samsung replied they were looking into the issue and that they would keep us updated with their progress.
2016-02-05: Samsung informed they were developing a patch and requested to delay for two more weeks the advisory publication.
2016-02-05: Core Security informed Samsung we didn't mind delaying the release of the disclosure, but we reminded them that is our policy to publish our findings once the patch is released.
2016-02-22: Core Security asked Samsung if they had an estimated date for releasing the patched version of the affected software.
2016-02-25: Samsung replied they had some issues during the final tests of the patch and that they would have the final fix ready by the 3rd of March. They informed they may had to request additional time in case their results came back negative.
2016-03-02: Core Security asked Samsung if they were going to release the fixed version the following day in order to publish the security advisory accordingly.
2016-03-03: Core Security asked Samsung again for a reply.
2016-02-25: Samsung replied the issues identified in Samsung SW Update Tool had been resolved by new patches from early March. Additionally, they mentioned that transitioning to the 'https' protocol on the server side would result in existing users with older version of client-side application with 'http' left unable to connect to the server anymore and consequently they requested 3 additional months to propagate the updated application by also allowing the 'http' protocol on the server side.
2016-03-03: Core Security asked Samsung to confirm if those patches had been already released. If so, we informed them that is our policy to publish our findings, usually in coordination with the affected vendor, once the fixed version of the affected software becomes available. We consider user/customers are safer once they become aware of the potential security issues a device/software could have. We informed them we will be forced to publish our security advisory on Monday 7 of March if the patches had been already released.
2016-03-07: Advisory CORE-2016-0003 published.
9. References

[1] http://orcaservice.samsungmobile.com/SWUpdate.aspx. 
[2] http://www.samsung.com.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.