Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 30 Mar 2018 23:08:02 +0800
From: flanker017 <flankerhqd017@...il.com>
To: oss-security@...ts.openwall.com, zhuozhuozhuozhuozhuo@...il.com, 
	l.dmxcsnsbh@...il.com
Subject: Fwd: [scr485440] 5 Samsung CVEs

 Hello:

The following issues are addressed with corresponding CVEs assigned by
MITRE for Samsung Mobile Security February update 2018.

Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb

Referring to SMR-FEB-2018 section:

SVE-2017-10991: Heap overflow in sensorhub binder service lead to code
> execution in privileged process
> Severity: Moderate
> Affected Versions: M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Heap overflow vulnerability in sensorhub binder service can lead to code
> execution in privileged process.
> The patch checks the size of buffer before the memcpy() to avoid heap
> overflow.
>

This issue is assigned CVE-2018-9143
Credits: Qidan He (@flanker_hqd) , Zhuoyuan Li


> SVE-2017-11165: Buffer overflow in vision
> Severity: High
> Affected Versions: N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Buffer overflow vulnerability in vision service can lead to local
> arbitrary code execution in a privileged process when the frame size is
> over 2M.
> The patch protects the size under enqueue frame using memcpy.
>
>
This issue is assigned CVE-2018-9139
Credits: Qidan He(@flanker_hqd)

SVE-2017-10747: Code Execution and arbitrary file loading in Email
> Severity: Critical
> Affected Versions: M(6.0)
> Reported on: Nobember 2, 2017
> Disclosure status: Privately disclosed.
> Vulnerability email app allows an attacker to execute javascript using
> event attribute and load arbitrary local file using src attribute.
> The patch restricts the file scheme and javascript in event attribute.
>
> This issue is assigned CVE-2018-9140
Credits: Qidan He(@flanker_hqd), Gengming Liu(@dmxcsnsbh), Zhen Feng

SVE-2017-10932: Arbitrary application installation in Secure Folder
> Severity: Moderate
> Affected Versions: N(7.x)
> Reported on: November 10, 2017
> Disclosure status: Privately disclosed.
> A random APK can be installed through Secure Folder SDCARD area.
> The patch fixed the logic to check package signature and package name to
> install verified Backup and restore APK.
>
> This issue is assigned CVE-2018-9142
Credits: Qidan He(@flanker_hqd)


> SVE-2017-11105: Code execution in Samsung Gallery
> Severity: Low
> Affected Versions: L(5.x), M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Vulnerability in Gallery allows code execution with a BMP file.
> The patch fixed the parser to validate proper resolution of BMP file.


This issue is assigned CVE-2018-9141
Credits: Qidan He(@flanker_hqd), Zhuoyuan Li

Thanks.
---------- Forwarded message ----------
From: <cve-request@...re.org>
Date: 2018-03-30 14:46 GMT+08:00
Subject: Re: [scr485440] 5 Samsung CVEs
Cc: cve-request@...re.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> On Samsung mobile devices with N(7.x) software, a buffer overflow in the
vision service allows code execution in a privileged process
> via a large frame size, aka
> SVE-2017-11165.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-11165: Buffer overflow in vision
> Severity: High
> Affected Versions: N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Buffer overflow vulnerability in vision service can lead to local
arbitrary code execution in a privileged process when the frame size is
over 2M.
> The patch protects the size under enqueue frame using memcpy.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android N(7.x) - N(7.x) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung System Service: vision
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local malicious app
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@flanker_hqd)

Use CVE-2018-9139.


> [Suggested description]
> On Samsung mobile devices with M(6.0) software, the Email application
allows XSS via an event attribute and arbitrary file loading via a src
attribute,
> aka SVE-2017-10747.
>
> ------------------------------------------
>
>
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-10747: Code Execution and arbitrary file loading in Email
> Severity: Critical
> Affected Versions: M(6.0)
> Reported on: Nobember 2, 2017
> Disclosure status: Privately disclosed.
> Vulnerability email app allows an attacker to execute javascript using
event attribute and load arbitrary local file using src attribute.
> The patch restricts the file scheme and javascript in event attribute.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile M(6.0) - M(6.0) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Email Application
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@flanker_hqd), Gengming Liu, Zhen Feng

Use CVE-2018-9140.


> [Suggested description]
> On Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software,
Gallery allows remote attackers to execute arbitrary code via a
> BMP file with a crafted resolution, aka SVE-2017-11105.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
> SVE-2017-11105: Code execution in Samsung Gallery
> Severity: Low
> Affected Versions: L(5.x), M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Vulnerability in Gallery allows code execution with a BMP file.
> The patch fixed the parser to validate proper resolution of BMP file.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android L(5.x), M(6.0), N(7.x) - L(5.x), M(6.0), N(7.x)
before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Gallery
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Remote BMP file
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@flanker_hqd), Zhuoyuan Li

Use CVE-2018-9141.


> [Suggested description]
> On Samsung mobile devices with N(7.x) software, attackers can install an
arbitrary APK in the Secure Folder SD Card area because
> of faulty validation of a package signature and package name, aka
SVE-2017-10932.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
> SVE-2017-10932: Arbitrary application installation in Secure Folder
> Severity: Moderate
> Affected Versions: N(7.x)
> Reported on: November 10, 2017
> Disclosure status: Privately disclosed.
> A random APK can be installed through Secure Folder SDCARD area.
> The patch fixed the logic to check package signature and package name to
install verified Backup and restore APK.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Insecure Permissions
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile N(7.x) - N(7.x) before patch level SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung Secure Folder
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local Malicious App
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@flanker_hqd)

Use CVE-2018-9142.


> [Suggested description]
> On Samsung mobile devices with M(6.0) and N(7.x) software, a heap
overflow in the sensorhub binder service leads to code execution in a
privileged process,
> aka SVE-2017-10991.
>
> ------------------------------------------
>
> [Additional Information]
> Security bulletin: https://security.samsungmobile.com/securityUpdate.smsb
>
> Referring to SMR-FEB-2018 section:
>
> SVE-2017-10991: Heap overflow in sensorhub binder service lead to code
execution in privileged process
> Severity: Moderate
> Affected Versions: M(6.0), N(7.x)
> Reported on: November 8, 2017
> Disclosure status: Privately disclosed.
> Heap overflow vulnerability in sensorhub binder service can lead to code
execution in privileged process.
> The patch checks the size of buffer before the memcpy() to avoid heap
overflow.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Samsung Mobile
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Samsung Mobile Android M(6.0), N(7.x) - M(6.0) N(7.x) before SMR-FEB-2018
>
> ------------------------------------------
>
> [Affected Component]
> Samsung System Process: sensorhub binder service
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Local malicious app
>
> ------------------------------------------
>
> [Reference]
> https://security.samsungmobile.com/securityUpdate.smsb
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Qidan He (@flanker_hqd) , Zhuoyuan Li

Use CVE-2018-9143.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJavdzuAAoJEA2h+fVryJLoC8wP/06qp7yIGOo/LxASGnUM1EEb
xBBEbyhlZ2d9NWb81Z5lsdx17JGfuZXSlS8rKMJCjP401ls8Vy6uDvjJdVKHQODw
mohK/IAO+3D7989JMBGTStBDcZfMydTN170CiKXnyxP0pRwEnb9To3XOB3fLnwmW
v1TlMndd+n3nBj9A0esycmxteZ4d7iL3JdMJlpMNsTKQLC/GgVCcuXOyyHs5WK5R
tMGDK1dbQoxoQpyYohmwsQY+YanKdcrilRiWn+fl4kNw6rRbkrQ0DDnrtsDJ/sPD
kRWOG7znaSWF0+Jnd0LGQvPHsJ/9iG949UuGvXau9k9jCl+q7t3wBmkfPSVhgqJp
HSyXuJLsTdlEEwc9Rb2W4e33X9IpFwH7eqW7Herb8L+tE6zNsiWsFxPAvSgXFg8v
LciDdklIHm5P09AHs/Wbtk3t1m6GTWMbJ9SZHHrDxWJBUYdwOnlqKKAcZsxEjXxu
9KI7nb2trZ3MclgOXC63Rkw9cmGXyn1hw1H/4uE3+eAFsQIMf0mEuPS2kCAT2ydQ
hL5hMM7LdxDpacGMP8qhQYP2EPq8d7vjk7U2S9IFHVw9+PBsCrzPy6kejY3WcHWn
+sQZ1McS9jno86n3DVqtwe2KR+1Yp2eoFYombziXxdy43XfRPpiJxjhenTKKml8d
L1OsYAsavgLdvMvOM6dK
=Y3Ps
-----END PGP SIGNATURE-----



-- 
Sincerely,
Flanker He (a.k.a. Qidan He)
Website: https://flanker017.me <http://flanker017.me>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.