Researchers from Viral Security Group have discovered three vulnerabilities in Samsung Knox, a security platform that allows users to maintain separate identities for work and personal use, and is built into some of the company’s Android smartphones and tablets.
Knox is meant to protect the integrity of the entire device – both hardware and software – but apparently there are ways to bypass some of those protections, specifically those offered by the Real-time Kernel Protection (RKP) module.
“A prerequisite for subverting the RKP module is a write-what-where kernel vulnerability,” the researchers explained.
For their attack, they used CVE-2015-1805, a vulnerability in the processing of vectored pipes by the Linux kernel that is exploitable on recent Samsung devices and has an open-source exploit implementation.
The “KNOXout” vulnerabilities (CVE-2016-6584) allowed the researchers to bypass the RKP protections and to execute code in the system user context. They’ve also managed to achieve root privileges to the device, and disable additional kernel protections.
That type of access to the system can be exploited to thoroughly compromise the device, for example by replacing legitimate applications with malicious versions that have all the possible permissions.
More information about the technology and the exploits can be found in this paper, and the researchers have published a PoC exploit for the flaws on Galaxy S6 on GitHub.
The researchers also documented possible solutions for fixing the flaws, and informed Samsung of them earlier this year.
The company has plugged them in its May security update, and users who haven’t already installed it are advised to do so as soon as possible.