Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

Samsung KNOX Takes Some Knocks

Researcher at Black Hat USA will reveal Samsung KNOX 2.6 vulnerabilities and bypass techniques, and notes that new KNOX 2.8 may be at risk as well.

Samsung last year touted its enterprise mobile security platform KNOX 2.6 aimed at protecting corporate data as well as the software's underlying Linux kernel.

But a researcher at Black Hat USA next month will demonstrate how he was able to bypass some of the key features in KNOX 2.6, such as data flow integrity (DFI) to keep information flowing to its intended destination, and the Kernel Address Space Layout Randomization (KASLR) that plays a game of cat and mouse with attackers by continually hiding the address location of the kernel.

Di Shen, a senior security researcher with Tencent Keen Security Lab, plans to share his Knox bypass techniques in his "Defeating Samsung Knox with Zero Privilege" session at Black Hat. And while his techniques were applied to a Knox platform that Samsung has since patched and is two versions old, Shen says Samsung's new and recently released KNOX 2.8 is not entirely out of the woods.

"My exploit chain was finished in June 2016, so it was working on KNOX 2.6 at that time," Shen says. "Since the vulnerabilities I used have been fixed in Samsung's latest firmware, the exploit chain will not affect an updated Samsung device with KNOX 2.8. However, the bypass techniques that I'm going to give out at Black Hat may still be useful in KNOX 2.8 if you got new kernel vulnerabilities for the latest firmware."

Although Shen has not yet analyzed KNOX 2.8, he did note that according to Samsung's KNOX change-log, the handset maker has added a control-flow protection feature, or control-flow integrity (CFI), to protect the kernel in its latest version of KNOX. And that CFI security feature has shown that it can be bypassed on a Windows system, according to Shen. The CFI is designed to prevent the attacker from hijacking the control-flow of a kernel's operating system.

"It could be a new challenge to exploit some particular kernel vulnerabilities," Shen says.

Knocking Down KNOX 2.6

And Shen should know. Last summer, before Samsung issued its firmware update, he used an exploit chain to slap down the KNOX Android kernel.

With a malicious application installed on a Samsung Galaxy S7, two vulnerabilities were found in KNOX 2.6, which allowed Shen to create an exploit chain.

"There are two vulnerabilities in this exploit chain, both of them are Linux kernel vulnerabilities. One is an information leaking vulnerability, helping me bypass KASLR; the other one is a use-after-free in perf subsystem of Linux kernel, helping me achieve arbitrary kernel memory overwriting," says Shen.

The vulnerabilities allowed Shen to first bypass KASLR so he knew exactly where the kernel was located. He then moved on to manipulating the Linux kernel data memory to bypass the DFI using Linux's own feature. That maneuver allowed Shen to gain the holy grail, root privilege. Shen's next move was to manipulate the Security Enhanced Linux (SELinux) database which is located in the kernel's memory, and with that manipulation he was able to bypass additional restrictions made by SELinux, he says.

This would allow an attacker to gain root privilege on a Samsung device and engage in nefarious activities from accessing private data on the phone to hijacking Web browsers, or to commandeering the phone's camera and recording capabilities, according to Shen.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

The most difficult part of punching into the KNOX 2.6 kernel was bypassing the DFI, he notes, which is carried out by a hypervisor that works with multiple operating systems within the same device. Shen plans to offer more details on how he tackled this greatest challenge in his Black Hat session.

In response to questions regarding KNOX 2.8 and its security, a Samsung spokesperson said: "Samsung KNOX is built in to our mobile technologies to ensure your hardware, software and apps are as secure as possible. Customers are encouraged to keep their software and apps updated and can download updates wirelessly. Samsung was made aware of this particular vulnerability (in KNOX 2.6) and a fix was deployed in February."

Despite being able to defeat KNOX 2.6 with zero privilege, Shen says he has great respect for Samsung's security team.

"You know every vulnerability mitigation may be bypassed someday and somehow, so is KNOX," Shen said. "KNOX still can make your devices safer than other devices, as the KNOX team is the best security team of smart phone vendor I've ever knew. They understand exploit techniques, they keep improving KNOX, and they can make it better." 

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17660
PUBLISHED: 2019-10-16
A cross-site scripting (XSS) vulnerability in admin/translate/translateheader_view.php in LimeSurvey 3.19.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the tolang parameter, as demonstrated by the index.php/admin/translate/sa/index/surveyid/336819/lang/ PATH_INFO.
CVE-2019-11281
PUBLISHED: 2019-10-16
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the virtual host limits page, and the federation management UI, which do not properly sanitize user input...
CVE-2019-16521
PUBLISHED: 2019-10-16
The broken-link-checker plugin through 1.11.8 for WordPress (aka Broken Link Checker) is susceptible to Reflected XSS due to improper encoding and insertion of an HTTP GET parameter into HTML. The filter function on the page listing all detected broken links can be exploited by providing an XSS payl...
CVE-2019-16522
PUBLISHED: 2019-10-16
The eu-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. A...
CVE-2019-16523
PUBLISHED: 2019-10-16
The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.