exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Samsung OTP OTP_GET_CRYPTO_DERIVED_KEY Buffer Overflow

Samsung OTP OTP_GET_CRYPTO_DERIVED_KEY Buffer Overflow
Posted Jan 3, 2017
Authored by Google Security Research, laginimaineb

Stack buffer overflow and information disclosure vulnerabilities exist in the Samsung OTP TrustZone trustlet via OTP_GET_CRYPTO_DERIVED_KEY.

tags | advisory, overflow, vulnerability, info disclosure
SHA-256 | 4be8f76a129448aa3f0cabbae41989cd16d89dc95b8f9b129a48d198c0e109be

Samsung OTP OTP_GET_CRYPTO_DERIVED_KEY Buffer Overflow

Change Mirror Download
 Stack buffer overflow and information disclosure in OTP TrustZone trustlet via OTP_GET_CRYPTO_DERIVED_KEY 




As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens.

The tokens are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the "OTP" service, published by "otp_server".

The command "OTP_GET_CRYPTO_DERIVED_KEY" allows the user to generate a key using a KDF which is based on a previously unwrapped OTP token. However, after unwrapping the supplied OTP token, the command fails to validate the derived key length field (at offset 1128 in the request buffer). This argument is then passed on to the KDF, and may be arbitrarily large.

Supplying a large value for the derived key length field will cause the KDF function to overwrite the destination buffer with the derived key bytes. As the destination buffer in located on the stack, this will allow the attack to overwrite important stack data.

Since HMAC-SHA1/HMAC-SHA256 are PRFs and the password in the token is unknown to the attacker, this issue would be harder to exploit on its own (would require to blindly brute-force the destination bytes). However, the "otp_get_crypto_derived_key" function also contains an information disclosure vulnerability that would allow the attacker to leak the derived key for each attempt.

After calling the KDF, the aforementioned length field is used as the length argument in a "memcpy" call which copies the generated bytes into the user's response buffer, thus leaking the generated bytes back to the Non-Secure World.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: laginimaineb

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close