In this article, we will look how to find the correct version of libhwui.so that is vulnerable against CVE-2020-8899. We are looking for the exact version that comes with the Samsung Note 10+ stock firmware. Once we have the libhwui.so, we will use this in the upcoming articles to build our fuzzing harness to identify the same bug.
Dec 4
Accessing Samsung Phone firmware files
When diving into research on a particular device, such as a Samsung Galaxy or Note, or any from different manufacturers, having access to the device's files is essential.
Thankfully, the internet has made many of these device ROMs readily available for download. Within these ROMs, you’ll find a suite of components including firmware, baseband firmware, the kernel, vendor files, system partitions, and more. The ability to access all these files, along with the stock apps, is incredibly advantageous for us. It means we can embark on our journey into vulnerability research without needing the physical device in our hands.
In this article, we will look how to find the correct version of libhwui.so that is vulnerable against CVE-2020-8899. We are looking for the exact version that comes with the Samsung Note 10+ stock firmware. Once we have the libhwui.so, we will use this in the upcoming articles to build our fuzzing harness to identify the same bug.
Throughout this article, we’ll take you through the process of how to obtain firmware from the web of a specific device, mount the system.img on your computer, and navigate through the files to find what you need for your research.
Downloading and Preparing Files
There are several websites on the internet that offer stock firmware to download. For Samsung devices we can go to websites like www.samfw.com.
After successfully downloading the firmware for the Samsung Note 10, our next step is to prepare the files for analysis. Begin by unzipping the downloaded file, which contains the firmware components. Each of these components typically has a .md5 extension to ensure their integrity.
For our purposes, we need to convert these .md5 files to a format that we can further unpack. To do this, rename the file extensions from .md5 to .tar. This change enables us to use common archival tools to extract the contents of the firmware.
Here is the command sequence for a Unix-like terminal, which automates the renaming and unzipping process:
After this we would like to decompress all the tar files and extract all the files.
By executing these commands, you will have access to all the individual files within the firmware, such as the system image and kernel, which you can then user for further security testing.
Analyzing the System Image
In our exploration of the firmware files, we encounter a variety of components critical to device operation. An example is modem.bin, which houses the firmware for the baseband processor. The secrets of such files will be delved into in subsequent posts.
Currently, our focus is on system.img — an image file representing a system partition. To interact with its contents, we must first convert it into a mountable format.
The conversion is accomplished with the simg2img tool, which transforms the sparse image format into a raw image file. Execute the following command:
Upon conversion, we prepare a mount point for this raw system image. The directory /media/SamsungFS will serve as our mount point.
We proceed with mounting the system.raw file to this directory using the command:
With the system.raw image successfully mounted, we now have full access to the file system of the Samsung Note 10's ROM. This methodology isn't exclusive to Samsung devices; it can be universally applied to ROMs from other manufacturers, such as Huawei, enabling the analysis of various system images across different devices.
Since we mounted the image as disk we can now access it through our file manager.
File manager access to the ROM files.
Finding the vulnerable libhwui.so (CVE-2020-8899)
Now that we can access the files, lets look for what we came for, libhwui.so that is vulnerable against the infamous MMS vulnerability discovered by Mateusz Jurczy from Google Project Zero. This vulnerability is very specific to Samsung's Android OS versions and is a perfect example.
We locate the libhwui.so file by searching in the ROM files.
The article discusses that versions numbers are used in the function names. This should give us a good way to compare our version.
We can open our libhwui.so with Ghidra and see the Symbol tree for the exports with QuramQmageDecVersion and we should be able to see based on the function Rev***** versions that we have pulled the correct version from a vendor device firmware.
Additionally, you have the option to extract and analyze the applications pre-installed on stock firmware, which is a vital step in conducting comprehensive vulnerability research.
The installed APK files can now be retrieved for further investigation.
Conclusion
Our digital excavation into the Samsung firmware has unearthed a wealth of information ripe for vulnerability research. We've traversed from downloading to deep analysis, using readily available online resources to access the firmware, and converting files into a workable format. By mounting the system image, we've gained direct insight into the device's operating core, all without the need for the physical hardware.
With the libhwui.so library now under our microscope, we stand at the threshold of uncovering the nuances of CVE-2020-8899. This is just the beginning, as our upcoming articles will delve into the modem.bin, a component as intriguing as it is vital, offering a gateway to understanding the baseband chip's security landscape.
Want learn advanced fuzzing and exploitation? Check out our courses, “Android Userland Fuzzing and Exploitation” and “Android Kernel Fuzzing and Exploitation” or do some of our free labs.
