Exploit the possiblities

Samsung RKP Kernel Protection Bypass

Samsung RKP Kernel Protection Bypass
Posted Mar 29, 2017
Authored by Google Security Research, laginimaineb

Samsumg suffers from an RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices.

tags | advisory, kernel
MD5 | b5c4ef10d1a12872e9129f24e017bee2

Samsung RKP Kernel Protection Bypass

Change Mirror Download
 Samsung: RKP kernel protection bypass via lack of MSR trapping on Qualcomm devices  




As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.

In order to prevent EL0 and EL1 code from creating disallowed memory mappings (e.g., disabling PXN on areas not in the kernel text or enabling write permissions to a kernel code page), RKP employs a system through which all modifications to the S1 translation table are validated by the hypervisor. Moreover, RKP marks the EL0 and EL1 translation tables as read-only in the stage 2 translation table for EL0/1.

On devices based on the Exynos SoC, RKP sets the TVM bit in HCR_EL2 in order to trap all requests to modify memory management control registers in EL1. These requests can then be processed according to the policy enforced by RKP in order to make sure they comply with the "allowed" set of memory mappings.

However, on Qualcomm devices RKP does not set the TVM bit, allowing all MSRs from EL1 to be executed without trapping into EL2. This allows an attacker to subvert RKP's memory mapping policies.

As noted in previous reports, an attacker may modify the value of TTBR1 in order to set locations other than kernel memory as executable (removing PXN), thus allowing the execution of arbitrary code in the kernel (without tripping kernel integrity checks). Moreover, there is no shortage of MSR opcodes which are executable from EL1, since all RKP code is freely executable from EL1 (also noted in previous reports).

I've dynamically verified this issue by examining the value of HCR_EL2 in the RKP debug log (/proc/tima_debug_rkp_log), on a fully updated Galaxy S7 (G930U). I've also verified that the HYP binary does not contain trap handlers for emulation of opcodes trapped by HCR.TVM.

This issue can be addressed by setting HCR.TVM and implementing trap handlers in EL2 for MSRs to sensitive memory management control registers executed by EL1.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: laginimaineb

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close