1. Advisory Information Title: Samsung SW Update Tool MiTM Advisory ID: CORE-2016-0003 Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm Date published: 2016-03-07 Date of last update: 2016-03-04 Vendors contacted: Samsung Release mode: Coordinated release 2. Vulnerability Information Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity [CWE-345] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2 3. Vulnerability Description The Samsung SW Update Tool [1] is a tool that analyzes the system drivers of a computer. You can install relevant software for your computer easier and faster using SW Update. The SW Update program helps you install and update your software and driver easily. Samsung [2] SW Update Tool is prone to a Men in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution. 4. Vulnerable Packages Samsung SW Update Tool 2.2.5.16 Other products and versions might be affected too, but they were not tested. 5. Vendor Information, Solutions and Workarounds Samsung published a fixed version of Samsung SW Update Tool on their website [1]. 6. Credits This vulnerability was discovered, researched and coordinated by Joaquin Rodriguez Varela from Core Security CoreLabs Team. 7. Technical Description / Proof of Concept Code 7.1. Clear text Transmission of Update Information [CVE-pending-assignment-1] Depending on whether the tool runs on a Samsung machine or not the program behavior will be different. On some Samsung machines it detects automatically the model of hardware and therefore the hardware it uses, on other models or non-Samsung machines it requires the user to specify the model of machine they would like to download drivers for. Several requests are performed once one of this conditions is met, and eventually an XML file is required which will depend on the model detected/selected: GET http://orcaservice.samsungmobile.com/dl/bom/MAX6356A04.XML HTTP/1.1 Host: orcaservice.samsungmobile.com The name of the XML file is the model ID for which the drivers are being requested. In the XML file that is received from the server, there's a tag called 'FURL' that has the URL of the file that is going to be downloaded and executed by the application. MAX6356A04 Nxxx-15xx Nike-15R_BBY MP100 MRT63xxxx DNC DONCR DNC ALL 2012-05-11 8:01:04 Yes BASW-83294A07 SOFTWARE Win8-Realtek LAN Driver[Gigabit] 8.4.907.2012-Dock_Dongle_isolate DNC W8PR32/W8SL32/W8ST32/W8PR64/W8SL64/W8ST64 DNC ALL PSTEXE BASW-83294A\BASW-83294A07.ZIP setup.exe -s -f2c:\Setup.log /pbr 10554011 5406352 C2P1 GCP 21090 SM1 ITMRQR 70 DrvVer 8.4.907.2012 Y http://orcaservice.samsungmobile.com/FileDownloader.aspx?FILENAME=BASW-83294A07.ZIP ENG BRA Driver de LAN CZE Ovladač sítě LAN DAN LAN-driver DUT LAN-stuurprogramma ENG LAN Driver ... ... Once the application's search process comes to an end, it shows the user the available drivers updates. After downloading the drivers, depending on the functionality mode the software is working, the user can click on the 'Install' button and the binaries are executed (Function 1), or, if running on the "Function 2" mode, the location where the software was saved pops-up in order for the user to execute the downloaded file. 7.1.1. Insufficient Verification of Update Authenticity [CVE-pending-assignment-2] There is no verification at all performed by the software itself over the downloaded files. There are some "control" parameters inside the XML file: ... ... RegVer HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\infInst 10.1.1.9 Version ... ... But those "control" parameters can be easily disabled by manipulating the XML file: ... ... NoVerify ... ... An attacker can easily modify the returning XML file in order to achieve code execution on the victim's machine. 8. Report Timeline 2016-01-22: Core Security sent an initial notification to Samsung. 2016-01-25: Samsung replied requesting to hold the publication until they were able to review the vulnerabilities. They sent their public PGP key attached. 2016-01-25: Core Security sent Samsung a draft copy of the advisory. 2016-01-26: Samsung replied they were looking into the issue and that they would keep us updated with their progress. 2016-02-05: Samsung informed they were developing a patch and requested to delay for two more weeks the advisory publication. 2016-02-05: Core Security informed Samsung we didn't mind delaying the release of the disclosure, but we reminded them that is our policy to publish our findings once the patch is released. 2016-02-22: Core Security asked Samsung if they had an estimated date for releasing the patched version of the affected software. 2016-02-25: Samsung replied they had some issues during the final tests of the patch and that they would have the final fix ready by the 3rd of March. They informed they may had to request additional time in case their results came back negative. 2016-03-02: Core Security asked Samsung if they were going to release the fixed version the following day in order to publish the security advisory accordingly. 2016-03-03: Core Security asked Samsung again for a reply. 2016-02-25: Samsung replied the issues identified in Samsung SW Update Tool had been resolved by new patches from early March. Additionally, they mentioned that transitioning to the 'https' protocol on the server side would result in existing users with older version of client-side application with 'http' left unable to connect to the server anymore and consequently they requested 3 additional months to propagate the updated application by also allowing the 'http' protocol on the server side. 2016-03-03: Core Security asked Samsung to confirm if those patches had been already released. If so, we informed them that is our policy to publish our findings, usually in coordination with the affected vendor, once the fixed version of the affected software becomes available. We consider user/customers are safer once they become aware of the potential security issues a device/software could have. We informed them we will be forced to publish our security advisory on Monday 7 of March if the patches had been already released. 2016-03-07: Advisory CORE-2016-0003 published. 9. References [1] http://orcaservice.samsungmobile.com/SWUpdate.aspx. [2] http://www.samsung.com. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.