impalabs space base graphics
Blogposts tagged Exploitation

This is a follow-up to our compendium blog post that presented the internals of Samsung's security hypervisor, including all the nitty-gritty details. This extensive knowledge is put to use in today's blog post that explains how we attacked Samsung RKP. After revealing three vulnerabilities leading to the compromise of the hypervisor or of its assurances, we also describe the exploitation paths we came up with. Finally, we take a look at the patches made by Samsung following our report.

After an in-depth analysis of the NPU OS and its interaction with the Android kernel, this second part gives a more offensive outlook on this component. We will go through the main attack vectors to target it and detail two vulnerabilities that can be chained together to get code execution in the NPU from the NPU driver before pivoting back into the kernel.

Advisories tagged Exploitation
Calendar icon
CVE-2021-39996 Buffer Overflow in SplitAidStrtok
Calendar icon
CVE-2021-40017 Write of Arbitrary Data to sec_storage_data/PKI/
CVE-2021-40040 Write of Controlled Params Set in generate_keyblob
CVE-2021-46887 Integer Overflow in ber_pop_front
HWPSIRT-2021-26563 Stack Address Leak in cmd_verify_key
HWPSIRT-2021-07329 Integer Overflow in ber_init
HWPSIRT-2021-63468 Logic Issue in verify_root_cert
HWPSIRT-2021-73188 Stack Buffer Overflow in get_soter_cpuid
HWPSIRT-2021-53224 OOB Access in get_soter_cpuid
Calendar icon
CVE-2021-40020 OOB Access in CmdInitObjectWithKeys
Calendar icon
CVE-2021-40023 Generic ASLR Bypass Using TALoader's Information
Calendar icon
CVE-2021-46881 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_LoadKeys
CVE-2021-40034 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_LoadEntitledContentKeys
CVE-2021-46882 Heap Buffer Overflow in MDrm_TA_CMD_OEMCrypto_RefreshKeys
CVE-2021-46883 Heap Buffer Overflow in MDrm_TA_OEMCryptoUsageTable_LoadUsageTableHeader
CVE-2021-46884 OOB Write access in MDrm_TA_CMD_OEMCrypto_CopyBuffer
CVE-2021-46885 OOB Read Access in MDrm_TA_CMD_Provision_GetRequest
CVE-2021-46886 OOB Read Access in MDrm_TA_CMD_OEMCrypto_RewrapDeviceRSAKey30
CVE-2021-46814 OOB Read Access in MDrm_TA_CMD_OEMCrypto_DecryptCENC
Calendar icon
CVE-2021-40036 OOB Access in DecryptData
CVE-2021-40010 Heap Buffer Overflow in SendTaGmmBuf
CVE-2021-40027 OOB Access in restore
CVE-2021-40032 Information Leak in compare
CVE-2021-40014 Information Leak in restore
HWPSIRT-2021-56065 Null Pointer Dereference in CheckModelHash
Calendar icon
CVE-2021-40022 Missing Input Parameters Check in InterfaceRead
Calendar icon
CVE-2023-27326 Directory Traversal Arbitrary File Write Vulnerability
Calendar icon
CVE-2021-39994 SMC SE Factory Check OOB Access
CVE-2021-22437 SMC MNTN OOB Access (Integer Overflow)
CVE-2021-39993 SMC MNTN OOB Access (Shared Control Structure)
Calendar icon
CVE-2021-39979 OOB Accesses Using the Logging System