±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34295
New Yesterday: 7 Visitors: 218

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

PoC Exploit Samsung Android Phones

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

PoC Exploit Samsung Android Phones

Post Posted: Thu May 17, 2018 7:52 am

A PoC (Proof Of Concept) exploit takes advantage of a known vulnerability in Samsung's Android phones that allows an attacker to access phone storages via USB, bypassing lock screen and/or Charge only mode. This is because one of the most common ways to connect your Android phone to your computer is by using the Media Transfer Protocol (MTP). Via MTP you can manage folders, files (and some other things) on the different storages (i.e. internal memory and SD) available on your device. When the screen of the phone is locked with password or when the USB mode is set to Charge only it shouldn't be possible to access the device via MTP (or other USB protocols). In reality what really happens is that the device will prevent you from obtaining the "list" of the available storages, but it will let you do everything else. Many common MTP clients won't, probably, let you access a device that reports zero storages. But you can write a client that just asks for a list of all files on all storages and the device will satisfy your request. The interesting thing is that in the answer that you will get from the device you will also have storage ids for the returned files, which means that now you can use those storage ids with request that can't be issued generically against all storages i.e. file uploads. This vulnerability has been found on Samsung's devices from 2012 until 2017, with any android versions from 4.0.3 to 7.x.

The tool is free - github.com/smeso/MTPwn
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Thu May 17, 2018 1:03 pm

Thanks for sharing, this post came right in time! If it will work on the device I got in a highly sensitive case, hopefully it will keep behind the bars a dangerous criminal! Smile

If it works, I'll write some feedback on it.
_________________
With a little luck, I can access Android userdata partitions from binary dumps. Full dump is required, physical access to the device helps a lot, but it is optional. 

passcodeunlock
Senior Member
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Fri May 18, 2018 4:11 am

No luck, the Android Security Patch Level is newer on this device. It is also encrypted and asking for password on boot, so no MTP connection could be set up anyway Sad
_________________
With a little luck, I can access Android userdata partitions from binary dumps. Full dump is required, physical access to the device helps a lot, but it is optional. 

passcodeunlock
Senior Member
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Fri May 18, 2018 7:23 am

It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics  

mcman
Senior Member
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Fri May 18, 2018 8:24 am

- mcman
It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics


Hi, I've a Samsung J320F with secure boot enabled and I don't know the password.

Dump via Forensic recovery with axiom won't help because phone is encrypted, do you think there is any way to get files?  

Bypx
Newbie
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Fri May 18, 2018 12:57 pm

@Bypx: If it is important, we can extract the user data from your encrypted dump, feel free to message me.
_________________
With a little luck, I can access Android userdata partitions from binary dumps. Full dump is required, physical access to the device helps a lot, but it is optional. 

passcodeunlock
Senior Member
 
 
  

Re: PoC Exploit Samsung Android Phones

Post Posted: Fri May 18, 2018 1:01 pm

- mcman
If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.


I already posted that the security patch level of the SM-N950F device I got is newer and this exploit won't work Sad

Any ideas are welcome, if we could dump the phone (even encrypted) we could move forward...
_________________
With a little luck, I can access Android userdata partitions from binary dumps. Full dump is required, physical access to the device helps a lot, but it is optional. 

passcodeunlock
Senior Member
 
 

Page 1 of 3
Go to page 1, 2, 3  Next