- Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
- ID: CVE-2016-2567
- Notification date: 30/10/2015
- Release date: 24/02/2016
Some weeks ago we
wrote
about secfilter, a proprietary Samsung kernel module for supporting URL
filtering applications (e.g., for parental control).
Besides the NULL pointer dereference described in the previous advisory, we also identified a pretty trivial bypass technique which permits a user-space application to completely circumvent the URL filtering system.
In a nutshell, the App which controls the URL filtering mechanism (secfilter) can
choose an "exceptional URL" that is automatically whitelisted by the kernel
module, as shown in the code above. The relevant source code snippet that
implements this behavior is reported below (from sec_filter.c):
// Check this is exceptional URL
if ((exceptionURL != NULL) && (gettingNode->url !=NULL)) {
//This is exception URL
if (strstr(&gettingNode->url[sizeof(URL_Info)], exceptionURL) != NULL)
{
free_tcp_TrackInfo(gettingNode); // Free this getting track info
nf_reinject(entry, NF_ACCEPT); // Send this packet because it is exception
return 0;
}
}
In the code snippet above the "exceptional URL" is represented by the character
string pointed by exceptionURL, while gettingNode->url is the URL the user
is trying to access.
However, the check is performed through a strstr() call. This permits
local applications to completely circumvent the URL filtering mechanism, just
by including an "exceptional URL" string among the GET parameters.
As an example, assume that exceptionURL has been set to
http://google.com/. Then, visiting http://evil.com/?http://google.com would
allow to bypass the filter completely. This is also demonstrated by the
following shell session:
$ curl -v http://evil.com/
* Trying 192.220.74.179...
* Connected to evil.com (192.220.74.179) port 80 (#0)
> GET / HTTP/1.1
> Host: evil.com
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/html
< Content-Length: 60
<
<html><head></head><body>This Site is Blocked!</body></html>
$ curl -v http://evil.com/?http://google.com/
* Trying 192.220.74.179...
* Connected to evil.com (192.220.74.179) port 80 (#0)
> GET /?http://google.com/ HTTP/1.1
> Host: evil.com
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 28 Oct 2015 10:16:51 GMT
< Server: ApacheWe confirm this issue affects the following device models. Other models and firmware versions are probably affected as well, but they were not tested.
- SM-N9005, build N9005XXUGBOB6 (Note 3)
- SM-G920F, build G920FXXU2COH2 (Galaxy S6)