ARM TrustZone: pivoting to the secure world

We discussed this vulnerability during Episode 200 on 28 March 2023

An exploit chain that targets Samsung’s TEEgris OS running in the ARM TrustZone secure world. TEEgris consists of a secure kernel and trustlets that run on the userspace side, which Android in the non-secure world can communicate with via Secure Monitor Calls (SMCs). The first vuln they found was in the Key Master (KEYMST) trustlet.

Stack overflow in KEYMST RSA Exponent Import As a key manager, the KEYMST trustlet allows non-secure world to import keys including RSA. When importing the exponent and reading the untrusted size, that size isn’t validated properly before copying in the exponent. They check that the size is less than 512 bytes, but when added to the exponent offset in the stack buffer for storing key info, it can go out-of-bounds.

They then did a classic return address overwrite and ROP chain, using qiling to emulate for testing their exploit.

Format string bug in Secure Kernel Logging Driver The secure kernel also contains secure drivers, one of which is the logging driver. The KEYMST trustlet has access to this driver, and can reach one of the logging-related ioctls implemented by log_msg(). The problem is, a user-provided argument is passed directly for the format string to printf(). The other arguments passed aren’t controlled directly by the attacker, but by exploiting the format string multiple times to increment arbitrary bytes, they could achieve arbitrary read/write.