Defeating Samsung KNOX with Zero Privilege

Presented at Black Hat USA 2017, July 27, 2017, 2:30 p.m. (50 minutes).

The story started mid-2016 by exploiting CVE-2016-6787 (found by myself) and rooting large numbers of Android devices shipped with 3.18 Linux kernel. However, we realized that our exploit wasn't working on Samsung Galaxy S7 Edge; the usual way we used to bypass KNOX on Galaxy S6 had expired.

After KeenLab successfully worked out several rooting solutions on many old Samsung smartphones in past two years, Samsung KNOX unsurprisingly enforced Galaxy S7 series. This time, KNOX introduced the Data Flow Integrity (DFI) as a part of its Real time Kernel Protection (RKP) implemented in TrustZone. KNOX RKP tried to use DFI to prevent a process which has compromised the Linux kernel from gaining root privilege. Furthermore, KNOX introduced KASLR as an additional mitigation. KNOX also removed the global variable "selinux enforce" in kernel, and permissive domain is not permitted - this means SELinux cannot be disabled or inserted a permissive domain even if you have already achieve kernel code execution.

In this talk I will describe how I used an exploit chain to defeat the new Samsung KNOX with zero privilege (exploit chain can be executed by any untrusted application), including KASLR bypassing, DFI bypassing, SELinux fully bypassing and privilege escalation. All details of vulnerabilities and mitigation bypassing techniques will be given during the presentation.


Presenters:

  • Di Shen - Sr. Security Researcher, Keen Lab,Tencent
    Di Shen (@returnsme) is a Sr. Security Researcher of Keen Lab (@keen_lab), focusing on Android kernel exploitation and vulnerability hunting since 2014. These years he has found several critical vulnerabilities in Android's kernel and TrustZone and successfully developed exploits for them.

Links:

Similar Presentations: