T-Flash Bootloader Buffer Overflow Vulnerability -- NEEDS DEVELOPERS

[Hariiiii]

http://security.samsungmobile.com/smrupdate.html

SVE-2016-7930: Multiple Buffer Overflow in Qualcomm Bootloader

Severity: Critical
Affected versions: Galaxy S5 with Qualcomm AP chipset
Reported on: December 20, 2016
Disclosure status: Privately disclosed.
A buffer overflow vulnerability exist in Qualcomm bootloader.
The patch prevents buffer overflow by removing the problematic source code.

On the samsung security blog, one of the listed patches for the march update mentions a buffer overflow vulnerability in the bootloader. This is documented proof of a vulnerability that could potentially be used to unlock the bootloader for CID11 S5's. Now, it is possible for people to just dig around in the bootloader (if anyone with the expertise is interested), or, alternatively, it is possible that the person responsible for reporting the bug might release the information. The Samsung blog lists his name as Frédéric Basse, and his blog is here: http://www.fredericb.info/ Historically, he tends to publicly release information after the vulnerability has been patched.

EDIT:
Based on the timing of some commits to the Heimdall source code, it seems very likely that the exploit involves T-Flash mode (also available in ODIN), which permits flashing firmware to an SD-card instead of the internal storage. This is corroborated by the fact that the samsung blog mentions the removal of source code that leads to the exploit. I highly suspect the next released bootloader update will not have T-Flash included. It seems likely that the bootloader does a poor job of checking the size of data (or allocates memory poorly?) before it is loaded into a memory buffer before being written to the SD-card. See below the link to the commits made by Frédéric Basse.

https://github.com/Benjamin-Dobell/Heimdall/pull/389

 

[klabit87]

Nice find! Would be a good thing if it could be used to gain an unlock for cid 11

Sent from my Nexus 6 using Tapatalk

 

[Hariiiii]

Nice find! Would be a good thing if it could be used to gain an unlock for cid 11

Sent from my Nexus 6 using Tapatalk

I found some more information, this might even be enough to work with (for someone with far more expertise than I).

 

[darknecrotic]

Let's do it! I plan on keeping this phone for a while. I would love to have my cid11 fully unlocked.

 

[4VYM4]

I'm not that experienced with this particular architecture but an old GS5 was given to me and I'm interested in assisting. Most of my experience with development is theoretical and PC. Perhaps we should make a discord on it for more efficient communication.

 

[Dudash]

Deleted.

 

[AKETech]

I have subscribed to this thread in hopes that someone will be able to figure this out. I don't have any expertice in this, but since I have that stupid locked bootloader, I'm extremely interested to see if someone can figure this out. I am willing to test, if you can come up with ways in which to test and try.

 

[smokerbond]

Will keep an eye on this.
I have been out of the loop since I got root on 6.0 w CID 11 through a race condition bug. The problem is persisting root and integrity after reboot.

With something like this maybe bootloader unlock will solve all the problems!
If bug hunter releases a report I will take a look.

 

[AptLogic]

Report has been released: https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf

 

[AWESOME1092387456]

Report has been released: https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf

So AptLogic (from what i understood by reading that mumbo jumbo) is that there is hope to unlock the bootloader by using twrp which will be installed on sd card beacuse there won't be any verification done, after that it is possible to dump the internal memory and reverse engineer the bootloader and whatever is needed to hopefully unlock the bootloader on cid11 devices? (I believe it was somewhat similar for the cid15)

 

[u.s.marine]

Can swap_root -f edit on sd pivot_root or flash back? And does %s = root or "nice" command ?

 

[Vesnyx]

Sorry to bother you @GeTex , but do you think these would help with CID-11 and AT&T?
https://www.sstic.org/media/SSTIC20...ticle-attacking_samsung_secure_boot-basse.pdf
https://seclab.cs.ucsb.edu/media/uploads/papers/bootstomp.pdf
https://github.com/ucsb-seclab/BootStomp