Exploiting Security Software: Android Edition

It's hard not to sound gleeful when you've exploited security software. After all, this is software by and for Our People, people who are nominally In The Know about security. Security software is special, in that it's not merely supposed to be "secure," but is intended to enhance security for the user when installed and running. So, getting a working exploit together that targets this kind of software tends to feel more rewarding -- the security researcher has bested the security software developer at their own game, one in which the developer is perceived to be at least on better footing when it comes to securing software.

This week, we're taking a look at Samsung KNOX. According to the website, this software is intensely rad. It does something with fingerprints, has a bunch of lock symbols all over the place, and promises to protect you from bad guys.

Okay, I admit that I have only the vaguest idea of what it's supposed to do -- looks to me that it sandboxes your business data from the rest of your wild and wooly Android environment. Really, the only reason why I know anything at all about KNOX is due to the new Metasploit module that targets it, thanks to the original research by Andre Moulu and the implementation work by Joe Vennix and Joshua jduck Drake.

It's a pretty fun attack which ends up irritating your target into acquiescing to installing malware. Joe's also put together a video of the attack in action, documenting the inevitable frustration of hitting the looping "Later" button. The fact that the attacker can make it appear that a security control is nonfunctional is what eventually leads to a total compromise.

It's important to note that while this is an Android attack, it's limited just to higher-end Samsung devices that offer KNOX as part of their firmware. Given the apparent disconnects between Android the operating system, the handset manufacturers which implement it, and the carriers which add their own (often unremovable) additions, we can expect more of these handset-targeted attacks to come. This situation is compounded by the fact that Android 5.0 (Lollipop) promises some major shifts in the way the core OS is secured and patched, therefore promoting the downstream providers as the more reliably exploitable targets.

In other words, not only is the Android ecosystem itself fractured, we can expect the Android attacker ecosystem to follow suit.

New Modules

In addition to the KNOX exploit discussed above, we have one other exploit and three new auxiliary modules landed this week. Are your colleagues running Quake servers on their workstations? Time to find out, and more importantly, ask why they didn't invite you!

Exploit modules

Samsung Galaxy KNOX Android Browser RCE by Joe Vennix, Joshua Drake, and Andre Moulu exploits OSVDB-114590

MantisBT XmlImportExport Plugin PHP Code Injection Vulnerability by Egidio Romano and Juan Escobar exploits CVE-2014-7146

Auxiliary and post modules