Samsung Devices KNOX Extensions OTP TrustZone Trustlet Stack Buffer Overflow

As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens. The tokens themselves are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the “OTP" service, published by "otp_server". Many of the internal commands supported by the trustlet must either unwrap or wrap a token. They do so by calling the functions "otp_unwrap" and "otp_wrap", correspondingly. Both functions copy the internal token data to a local stack based buffer before attempting to wrap or unwrap it. However, this copy operation is performed using a length field supplied in the user’s buffer (the length field’s offset changes according to the calling code-path), which is not validated at all. This means an attacker can supply a length field larger than the stack based buffer, causing the user-controlled token data to overflow the stack buffer. There is no stack cookie mitigation in MobiCore trustlets. On the device I’m working on (SM-G925V), the "OTP" service can be accessed from any user, including from the SELinux context "untrusted_app". Successfully exploiting this vulnerability should allow a user to elevate privileges to the TrustZone TEE.

Link: https://packetstormsecurity.com/files/140146/samsungdevice-overflow.txt

Ubuntu Security Notice USN-3155-1

Ubuntu Security Notice 3155-1 – Multiple security vulnerabilities were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to conduct cross-site scripting attacks, obtain sensitive information, cause a denial of service via application crash, or execute arbitrary code. Various other issues were also addressed.

Link: https://packetstormsecurity.com/files/140150/USN-3155-1.txt

Red Hat Security Advisory 2016-2945-01

Red Hat Security Advisory 2016-2945-01 – Red Hat Single Sign-On 7.0 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This asynchronous patch is a security update for Red Hat Single Sign-On 7.0. Security Fix: It was found that Keycloak did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user’s session. This could lead to information disclosure, or permit further possible attacks.

Link: https://packetstormsecurity.com/files/140149/RHSA-2016-2945-01.txt