impalabs space base graphics
Blogposts tagged Exploitation

This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with. Finally, we take a look at the patches made by Samsung following our report.

After an in-depth analysis of the NPU OS and its interaction with the Android kernel, this second part gives a more offensive outlook on this component. We will go through the main attack vectors to target it and detail two vulnerabilities that can be chained together to get code execution in the NPU from the NPU driver before pivoting back into the kernel.

Advisories tagged Exploitation
Calendar icon
CVE-2023-27326 Directory Traversal Arbitrary File Write Vulnerability
Calendar icon
CVE-2021-39994 SMC SE Factory Check OOB Access
CVE-2021-22437 SMC MNTN OOB Access (Integer Overflow)
CVE-2021-39993 SMC MNTN OOB Access (Shared Control Structure)
Calendar icon
CVE-2021-39979 OOB Accesses Using the Logging System