In the same way, if you open the content URL link obtained above in the Samsung browser, such as the specific security file can be displayed, and then it can be sent to via xhr request In the server controlled by the attacker. If a valid file is found, the corresponding content URL link path will be displayed (technically speaking, it can also be in the html Set the response in the file so that the attacker can get it) When the victim opens the html file in the Samsung browser, the file will perform file enumeration. In order to verify the vulnerability and reduce the attack steps, here the html file is sent to the victim via Whatsapp Var scriptElement = document.createElement("script") ĭ(scriptElement) Based on the this vulnerability, construct the following html code file to enumerate the files in the storage: Construct the following content URL links to access the corresponding 3. Then you will get the following information: UserInfo running Obtain user information in a multi-user storage environment: Therefore, you can use a javascript script to enumerate all files in the multi-user storage environment. To access a specific file in a multi-user storage environment, you need to add a corresponding file number to the content URL link. ![]() ![]() The vulnerability lies in that when the secure folder is locked, the content URL link can be used to access these secure files through the Samsung browser. Related files in a multi-user storage environment. Therefore, it cannot be accessed with a browser or APP. Normally, Samsung’s multi-user storage environment (MULTI-USER STORAGE) uses the secure folder APP to reinforce confidential files, and the content provider (Content Provider) does not have the right to access the files. Severity: High | SVE-2020-18025 Vulnerability introduction ![]() I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward. Open the Settings menu on your Samsung Galaxy device and navigate to Biometrics and security > Secure Folder. Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.
0 Comments
Leave a Reply. |