First off, Apple has issued an update for some very old devices. Well, vintage 2013, but that’s a long time in cell-phone years. Fixed are a trio of vulnerabilities, two of which are reported to be exploited in the wild. CVE-2021-30761 and CVE-2021-30762 are both flaws in Webkit, allowing for arbitrary code execution upon visiting a malicious website.
Either way, researchers at Oversecured took a look… and found some problems. First up is Samsung’s Knox Core app, part of their enterprise security system. This core framework file can install other apps, triggered by a world-writable URI. So first problem, anything that can load a file and call a URI can trigger an arbitrary app install. There is a second problem: part of that install process copies the app-to-be-installed to a world-readable location. This means that with a bit of work, any other app can abuse this to read any file this system app can read, and that’s all of them.
The third bug fixed is a very interesting one, CVE-2021-30737, memory corruption in the ASN.1 decoder. ASN.1 is a serialization format, used in a bunch of different crypto and telecom protocols, like the PKCS key exchange protocols. This bug was reported by [xerub], who showed off an attack against locked iPhone immediately after boot. Need to break into an old iPhone? Looks like there’s an exploit for that now.
Up next is the managed provisioning app. This too allows installing apps, but has a built-in verification system, as it was based on Managed Provisioning from the Android Open Source Project (AOSP). Samsung added features, one of which is a flag to disable the verification. Oh, and this one installs apps as system. “Please install my rootkit, Samsung.” “OK”
And the last problem we’ll look at is the TelephonyUI app. It exposes a receiver, PhotoringReceiver, which takes two arguments: the URL to download, and the file location to write it to. This function does check that the remote server reports the file to be an image or video, but this is trivial for an attacker to spoof. The result is that an attacker can send an intent, download an arbitrary file, and write it anywhere on the phone as UID 1001, one of the system users.
- This week in security: patches, leaks, old hardware hacking
- Check all news and articles from the latest Security news updates.