SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader
Posted on Sun 23 July 2017 in Advisory
On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :
This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.
Several bugs in Samsung Galaxy bootloader allow an attacker with physical access to execute arbitrary code. Protections like OS lock screen and reactivation lock can be defeated.
Download mode (a.k.a. ODIN) doesn't properly sanitize headers of flashed images. This can lead to integer & buffer overflows.
Bugs and exploitation technique are detailed in the paper released at SSTIC 2017 conference.
PoC code for Samsung Galaxy S5 has been released on GitHub
CVSS Version 3 Metrics
- Attack Vector (AV): Physical (P)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Overall CVSS Score: 6.8
Samsung has released a fix via OTA.
- 2016-12-20 Disclosed to Samsung
- 2017-03-07 Public disclosure in Samsung Bulletin SMR-MAR-2017
- 2017-06-08 Talk at SSTIC 2017 conference
- 2017-07-21 Proof-of-Concept released