Samsung S20 - Access External Storage Files

Product Samsung phones with Samsung Notes (prior to version 4.2.00.22)
Severity Low
CVE Reference CVE-2021-25367
Type Storage Security Bypass

Description

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An issue was discovered that would have allowed a rogue application to access any file on the external storage partition without the "External Storage" Android permissions.

Technical Details

Samsung Notes (com.samsung.android.app.notes) has an exported content provider called "clipdatacontentprovider" that can be used by other applications to download files from the external storage. The issue is due to the class "com.samsung.android.support.senl.nt.base.framework.provider.ClipDataContentProvider" having two methods "onCreate" and "addRoot":

public boolean onCreate() {
Context context = getContext();
addRoot("external_files", new File(Environment.getExternalStorageDirectory(), "."));
File[] externalFilesDirs = ContextCompat.getExternalFilesDirs(context, null);
if (externalFilesDirs.length <= 0) {
return true;
}
addRoot("external-files-path", new File(externalFilesDirs[0], ShareCacheHelper.CACHE_PATH));
return true;
}
private void addRoot(String str, File file) {
if (!TextUtils.isEmpty(str)) {
try {
mRoots.put(str, file.getCanonicalFile());
} catch (IOException e) {
throw new IllegalArgumentException("Failed to resolve canonical path for " + file, e);
}
} else {
throw new IllegalArgumentException("Name must not be empty");
}
}

The class relies on the hashMap "mRoots" to keep track of what the content provider's root directories are. In the "onCreate" method, the external storage folder is added as an authorized root directory.

A rouge application installed on the same device can call this content provider to browse and download files from the External Storage area, bypassing the need to add "EXTERNAL_STORAGE_READ" or "EXTERNAL_STORAGE_WRITE" to the rouge application's manifest. As an example, F-Secure utilized its Android testing application, Drozer, to exploit this issue. The screenshot below shows that Drozer did not have any additional Android permisions (right) and it could not read the file "/storage/emulated/0/yay.jpg" (top left). Meanwhile, the ADB user could read the file "/storage/emulated/0/yay.jpg" (bottom left):

20210111 184012

Drozer's "app.provider.download" module can be used to dynamically craft a proper content provider call and communicate with the vulnerable content provider. The below output shows Drozer downloading the file "/storage/emulated/0/yay.jpg" from the external storage using the vulnerable content provider:

dz> run app.provider.download content://com.samsung.android.app.notes.clipdatacontentprovider/external_files/yay.jpg /tmp/yay.jpg
Written 1932151 bytes

dz> exit
root@324bda543ccd:/# sha1sum /tmp/yay.jpg
1e29865dc1b592b06f87cd7d569f93170daa74ed /tmp/yay.jpg

Remedial Action

Samsung has released Samsung Notes versionĀ 4.2.00.22 which fixes the issue outlined in this advisory. F-Secure recommends that users upgrade Samsung Notes to at least version 4.2.00.22.

Timeline

Date Summary
02/11/2020 Issue disclosed to Samsung Mobile Security
02/11/2020 Issue assigned to a Samsung Security Analyst
16/12/2020 Samsung confirms the vulnerability and rates it as a low risk issue
12/01/2021 Follow up sent to Samsung
13/01/2021 Samsung responds to follow up and says a patch will be released soon
09/02/2021 Patch released, Samsung initiates process for bug bounty reward
12/03/2021 Bug Bounty Paid
25/03/2021 CVE Assigned
26/03/2021 Advisory Disclosed