tags:secure_bootmedia_decoderauth_bypassandroid original link: When Samsung meets MediaTek: the story of a small bug chain newsletter link: exploits.club Weekly Newsletter 33 - CPU Vulns, Breaking Samsung Bootloaders, Tony Hawk Pro Skater, And More
Exploits Club Summary:
We are only 2 months late to this one, but who can blame us given the amount of content Quarkslab has continued to turn out? In this paper, the team walks through the research they conducted against low-end Samsung devices, specifically targeting the JPEG logo parsing of the bootloader. The first half of the post walks through the RE process, identification of a heap overflow, and exploitation to achieve full control over Normal World Execution Levels 1 and 0. It then discusses an Odin authentication bypass, which actually allows for the malicious JPEG to be flashed to the device. The second half of the post looks at targeting the TEE, and identifies memory leak which allowed the retrieval of keystore keys once they are loaded into Secure World RAM.