Two kernel vulnerabilities were left unpatched on older devices running Android Jelly Bean and KitKat. QuarksLAB, a security research company based in Paris, France, has stumbled upon two kernel vulnerabilities in Samsung Galaxy S4 devices which Samsung has decided to patch, but only for recent devices running Android Lollipop, and not for those with Jelly Bean or KitKat.
The two vulnerabilities were discovered in February 2014 and reported to Samsung in August 2014, and they affect the samsung_extdisp driver of Samsung S4 (GT-I9500) devices.
The first vulnerability, CVE-2015-1800, was found in the s3cfb_extdsp_ioctl() function, located in the “drivers/video/samsung_extdisp/s3cfb_extdsp_ops.c” file.
This function contains a stack kernel memory disclosure, which can be used to leak sensitive memory information or even break kernel ASLR if enabled on the device.
“The way to break ASLR is to ‘leak’ information from the target process. For instance, you’ll leak the address of a structure you know (e.g. a memory structure describing the process),” as Fred Raynal, QuarksLAB CEO, told Softpedia. “You know that, in the memory map, this structure is always located at an offset of 1337 bytes from the beginning of the process. Hence, you can guess the base address. It is the leaked address of the structure – 1337 (the offset).”
“Imagine you are blindfolded in a room you know. You’ll walk around slowly looking to touch something you’ll recognize,” continued Mr. Raynal, trying to simplify the vulnerability’s explanation. “Once you touch that table, you immediately are able to know where everything is. All you needed was one reference, one thing you knew (the table here, the address earlier).”
The kernel vulnerabilities are an entry point for more dangerous attack vectors
When we asked if this was important, Mr. Raynal told us, “Info leaks are useless by themselves. They are part of the attack vector, to defeat ASLR. […] In the kernel, you need to leak an address. Once you have this address, you can have your memory overflow, or whatever other bug you are exploiting, working. It is the same whether we talk about desktop or mobile (the difference is only due to the way ASLR is implemented).”
The second vulnerability, CVE-2015-1801, is a set of 4 kernel memory corruptions found in the s3cfb_extdsp_ioctl() function, located in the “drivers/video/samsung_extdisp/s3cfb_extdsp_ops.c” file.
By exploiting this vulnerability, attackers could control destination pointers, and eventually end up overwriting some function pointers or values in the kernel space, causing a denial of service (DoS) state, or even elevating their privileges.
Vulnerabilities will be patched only for devices running recent Android versions
According to Jonathan Salwan, one of QuarksLAB’s junior security researchers, Samsung took 3 months to acknowledge the bugs (November 2014), and only responded to QuarksLAB’s emails after the company went public with their research on September 21, 2015.
“They just acknowledged the issues, then went silent until this blog post popped,” said Mr. Salwan. “Samsung just confirmed to us that the JB and KK families will not be patched and that the vulnerabilities are only patched on the LL family.”