Category Archives: Cell Phone (iPhone, Android, windows mobile)

About CVE-2023-3006 – Specter-BHB on arm update on end of May 2023 (1st June 2023)

Preface: Speculate that this CVE is custom for Ampere Computing. Ampere Computing is an ARM architecture licensee and develops its own server microprocessors.

Background: Certain Arm Cortex and Neoverse processors through 2022-03-08 do not properly restrict cache speculation, aka Spectre-BHB. An attacker can leverage the shared branch history in the Branch History Buffer (BHB) to influence mispredicted branches. Then, cache allocation can allow the attacker to obtain sensitive information.

Vulnerability details: CVE-2023-3006 – A known cache speculation vulnerability, known as Branch History Injection (BHI) or Spectre-BHB, becomes actual again for the new hw AmpereOne. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim s hardware context. Once that occurs, speculation caused by the mispredicted branches can cause cache allocation. This issue leads to obtaining information that should not be accessible.

Official details: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-3006

CVE-2023-32067 – c-ares is vulnerable to denial of service (30th May 2023)

Preface: c-ares is a C language implementation of asynchronous request DNS. When using c-ares, you usually only need to reference the ares.h header file, and the related header files of the library are included.

Background: For some asynchronous DNS requests, Node[.]js uses a C library called c-ares.
So called Async DNS – This feature bypasses the normal operating system mechanisms for resolving domain names and uses the browser directly. In this mode, DNS requests will communicate directly own DNS servers and some third party providers.

Vulnerability details: c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.

According to the technical aspect of UDP packet with a length of 0 matter. Do you have below queries?
Writing a datagram of length 0 is acceptable. In the case of UDP, this results in an IP datagram containing an IP header (normally 20 bytes for IPv4 and 40 bytes for IPv6), an 8-byte UDP header, and no data. This also means that a return value of 0 from recvfrom is acceptable for a datagram protocol: It does not mean that the peer has closed the connection, as does a return value of 0 from read on a TCP socket. Since UDP is connectionless, there is no such thing as closing a UDP connection.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32067

About CVE-2023-32695 – A patch has been released in socket[.]io-parser version 4.2.3.

Preface: In technical aspect, a Socket[.]IO server can sustain 10,000 concurrent connections. Therefore you can build a chat experience and using Socket[.]IO as your realtime communication solution. But if you want chat users to receive push notifications when they’re not actively using the app, Socket[.]IO can’t help, as it relies on a persistent socket connection.

Background: Socket[.]IO is a library that enables real-time, bidirectional and event-based communication between the browser and the server.
A socket[.]io encoder and decoder written in JavaScript complying with version 4 of socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.
In addition, a socket[.]io-parser has included. A socket.io encoder and decoder written in JavaScript complying with socket[.]io-protocol. Used by socket[.]io and socket[.]io-client.

Ref:socket-io[.] client is the code for the client-side implementation of socket[.]io[.] That code may be used either by a browser client or by a server process that is initiating a socket[.]io connection to some other server (thus playing the client-side role in a socket[.]io connection).

Vulnerability details: socket[.]io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket[.]io-protocol.

Potential impact: A specially crafted Socket[.]IO packet can trigger an uncaught exception on the Socket[.]IO server, thus killing the Node[.]js process.

Solution: A patch has been released in version 4.2.3.

Official announcement: For details, please refer to the link – https://nvd.nist.gov/vuln/detail/CVE-2023-32695

CVE-2022-33302 – Memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.(25th May 2023)

Preface: Perhaps you feeling that it’s not follow best practice when it is a zero-day matter. Seems this CVE was late published. The fact is that the impact look serious. So before vendor resolve the problem. Vendor do not intent disclose to public. But problem resolved now.

Background: The User Identity Module may contain information such as the NAM (Number Assignment Module) and subscription feature information. Based on design, UIM can be integrated into the smartphone or it may be a R-UIM (Removable Identity Module).
Refer to vendor design mechanism, Reading a mobile subscriber identity from a memory device associated with the smartphone; determining if part or all of the mobile subscriber identity matches a data set entry within a file associated with the smartphone.
For example, a program assists find highest number in an array by the pointer. As a result, the result of high-array is the number of elements from the start of the array to the element pointed to by high, and that is the index of that element.

Ref: What is a Function Pointer? Function Pointers are pointers, i.e. variables, which point to an address of a function. The running programs get a certain space in the main memory. Both, the executable compiled program code and the used variables, are put inside this memory.

Vulnerability details: Qualcomm found that a memory corruption due to improper validation of array index in User Identity Module when APN TLV length is greater than command length.

Official details: Please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2022-33302

CVE-2023-32413 A race condition occurred in process state handling. It is very common in OS systems, be it Linux or Microsoft Windows. (23rd May 2023)

Preface: A race condition vulnerability typically occurs when your application has access to the same shared data and attempts to change variables within it simultaneously. Applications can become vulnerable to race conditions if they interact with other applications that use parallel processing or multiple threads.

Background: A process describes an individual running instance of a program. It has its own memory, which it does not share with other programs. A process can run code in multiple separate threads. These threads can run code independently of each other.
In Linux, a process is an instance of executing a program or command. While these processes exist, they’ll be in one of the five possible states:

  • Running or Runnable (R)
  • Uninterruptible Sleep (D)
  • Interruptable Sleep (S)
  • Stopped (T)
  • Zombie (Z)

Ref: Zombie processes are already dead, so they cannot be killed, they can only be reaped, which has to be done by their parent process via wait*(). This is usually called the child reaper idiom, in the signal handler for SIGCHLD.

When a child process stops or terminates, SIGCHLD is sent to the parent process. The default response to the signal is to ignore it. The signal can be caught and the exit status from the child process can be obtained by immediately calling wait(2) and wait3(3C). This allows zombie process entries to be removed as quickly as possible.

Vulnerability details: A race condition was addressed with improved state handling.

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Official announcement: About the security content of iOS 16.5 and iPadOS 16.5. Please refer to the link – https://support.apple.com/en-us/HT213757

About CVE-2023-21666 – Memory Corruption in Graphics while accessing a buffer [Android Security Bulletin in 1st May 2023] (12th May 2023)

Preface: In smartphone, a GPU is similar a graphic card. Meanwhile, it’s the GRAPHICS PROCESSING UNIT which is similar to the CPU processor but instead it’s specifically dedicated for rendering 3D graphics. If your phone does not have one, then you will not be able to play any 3D games.

Background: Whenever a user space application requests a memory allocation for graphics processing, existing technology will seek to allocated nearest order pages from system memory (initially) to map to the GPU.
A patent design
KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device. Whenever a user space application requests a memory allocation for graphics processing, existing design will seek to allocated nearest order pages from system memory (initially) to map to the GPU. Once the application is done with its work, it releases those pages back to the KGSL pool as free for another allocation.
the KGSL pool is common for all the clients or processes that are using the graphics user space driver of the device.

Vulnerability details: Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool.

Official announcement – For details, please refer to the link below
Android: https://source.android.com/docs/security/bulletin/2023-05-01
Qualcomm: https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2023-bulletin.html

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

CVE-2022-47630 – See whether your android can skip this vulnerability? Perhaps it can. (16th Jan 2023)

Preface: Why configure Secure Boot? This type of hardware restriction protects the operating system from rootkits and other attacks that may not be detected by antivirus software.

Background: Secure Boot is the process where the operating system boot images and code are authenticated against the hardware before they are authorized to be used in the boot process. The hardware is pre-configured to authenticate code using trusted security credentials. ARM architectures are the most common electronic design in the world, even though x86 is more common in the server market. ARM architectures are used in almost all smartphone designs, as well as in other small mobile devices and laptops.

Arm is the CPU architecture used by all modern smartphones in the Android and Apple ecosystems.

Vulnerability details: Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.

Additional Details – One of its designs is not affected by this vulnerability:

If the config like below:

“load_auth_image” invoke “load_auth_image_internal” – See the attached picture for details

If the platform uses a custom image parser instead of the certificate
parser, the bug in the certificate parser is obviously not relevant. The
bug in auth_nvctr() may be relevant, but only if the returned data is:

  • Taken from an untrusted source (meaning that it is read prior to
    authentication).
  • Not already checked to be a primitively-encoded ASN.1 tag.
    In particular, if the custom image parser implementation wraps a 32-bit integer in an ASN.1 INTEGER, it is not affected.

Official announcement : Official details, please refer to url – https://nvd.nist.gov/vuln/detail/CVE-2022-47630

Retrospect a simple bug in smartphones software development in 2022 (28th Dec 2022)

Denial of service from the big world to the small world

Preface: Perhaps the historical information can be enrich our knowledge base. Even through you think the information I posted by today not very useful. However this is so called database. See whether you are still interested in this matter today?

Background:

The Flutter framework is a popular, multi-platform UI toolkit that’s powered by the Dart platform, and that provides tooling and UI libraries to build UI experiences that run on iOS, Android, macOS, Windows, Linux, and the web. When creating configuration files for application projects, languages like Python and the Google-developed Flutter framework for Dart both use YAML (. yaml). Furthermore, YAML can be used to format containerized files. Cloud computing operations also using it.

There are several libraries available to parse. yaml is a popular library to read yaml files. yaml_writer library is used to write to a yaml file.

  • yaml[.]dart for reading
  • yaml_writer for write operations

yaml is a popular library in dart and flutter for reading the yaml file and yaml_writer for writing to yaml document.

Ref: YAML is a data serialization language that is often used for writing configuration files. Depending on whom you ask, YAML stands for yet another markup language or YAML ain’t markup language (a recursive acronym), which emphasizes that YAML is for data, not documents. 

Vulnerability details: Certain versions of Gopkg[.]in/yaml[.]v2 from Gopkg[.]inyaml[.]v2 contain the following vulnerability:
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

Official announcement: For details about the vulnerability, please refer to the official announcement – https://pkg.go.dev/vuln/GO-2022-0956

Wish you a Happy New Year.

CVE-2022-46702 Apple iOS/iPadOS up to 16.1.2 GPU Drivers memory corruption (23rd Dec 2022)

Preface: When an external GPU is connected to the iOS system. Refer to attached diagram , it will perform compute simulations on that external GPU. And thus graphics rendering on a built-in GPU.

According the current GPU design. Do you think is there desugn weakness happen here. For instance, memory access control and access permission.

Background: A MTLBuffer can’t be directly transferred between different devices; its data must be transferred via system memory. Refer to attached diagram. The sample calls the vm_allocate function to allocate a page-aligned buffer, updateAddress, backed by system memory. The sample then calls the newBufferWithBytesNoCopy:length:options:deallocator: method to create a new MTLBuffer, _updateBuffer, backed by the same system memory used for the previous buffer.

Vulnerability details: The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

As details could not be found in the official announcement. My speculation is shown as below:

According to step 1 and 2 (refer to attached diagram), believe that it will have way to enhance the access control of GPU Driver buffer. The reason is that it may have potential risk  let attacker do manipulation with an unknown input leads to a memory corruption vulnerability. As a result, it may be possible for an application to leak kernel memory.

Official announcement: For details, see the link – https://support.apple.com/en-us/HT213530

  • Christmas is celebrated to commemorate the birth of Jesus Christ, who Christians believe is the Son of God. Sunday, December 25, 2022 is Christmas. Maybe you don’t have this belief. However, I also wish you Merry Christmas and my best wishes to you and your family.