The following write-up is a redacted sample of a previously reported security vulnerability report with a high severity security impact. You may refer to this sample as a template and guidance when reporting the security vulnerability you have identified.
Stack-based buffer overflow in the trusted storage Trusted Application (TA).
A possible invalid bounds check vulnerability in trusted storage TA allows stack-based buffer overflow and arbitrary code execution.
There is a stack-based buffer overflow in the Trusted storage TA (TRUSTED_STORAGE_TA_FILE_NAME-XXXXX.ext with sha256 hash e98574f290b281a0f7808409037bf3f8********************************), within the getTlv**** function.
This function takes a parsed TLV structure and generates a new TLV-encoded buffer on the stack based on its contents. The beginning of the function looks as follows:
The tlvbuf is allocated in the stack with a size of 1024 bytes at /** 1 **/. Then it is passed to find_tag to find tags 0x52 and 0x71 at /** 2 **/. The find_tag function does the following:
The problem appears in tlv_write (offset 0x22C** within the TA binary), where bounds checks are performed:
At /** 3 **/ the output length is checked against the buffer length. However, at /** 4 **/ the tlv contents are copied to 'data + data_offset' with data_offset potentially out of bounds.
The attached proof-of-concept exploit uses this vulnerability to achieve code execution within the TA. The exploit uses a ROP chain to call Print****** with controlled parameters for demonstration purposes.
Note that the exploit requires system or root privileges.
At least the Galaxy S* and Galaxy S* Exynos / Qualcomm versions are affected, with the latest firmware available.
The exploit has been tested on G9**FXXU*****, with security patch level 201*-01-01.
On the host:
$ ndk-build ; adb push libs/armeabi-v7a/attack /data/local/tmp
On the phone, in an adb root shell:
/data/local/tmp # ./attack ; dmesg -c | grep Exploit
****************************************************************
* Tested with G9**FXXU***** firmware on a Galaxy S* phone. *
****************************************************************
[+] Exploit finished. Check the logs.
[ 2132.327013] **** TEE: e01|Exploit successful! Printed from TA.
The last line should contain the output of the TEE log printed by the exploit.
Proper bounds checking should be performed. In particular, the tlv_*****() function should take the output offset into account in the bounds check.
Furthermore, the TA should be compiled with stack canaries enabled to prevent trivial exploitation of this type of vulnerability.