

Massive security flaw may threaten millions of Samsung Galaxy phones - ganram
http://mashable.com/2015/06/17/samsung-phones-security-flaw/

======
_jomo
NowSecure has some details about this flaw [0]. Summary:

The SwiftKey keyboard (which can't be uninstalled) checks for language packs
via HTTP:

    
    
        http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/languagePacks.json
    

That returns a list of download URLs and SHA1 hashes (which are obviously
useless when they're in the same plain text response). These download links
look like:

    
    
        http://skslm.swiftkey.net/samsung/downloads/v1.3-USA/en_US.zip
    

The zip file is downloaded and then extracted as system user. The zip file may
contain paths like ../../../../../../../../data/payload, which basically
allows to write anywhere on the file system.

This can be (ab)used for a system level remote code execution.

Ryan Welton also published a video demonstrating the exploit. [1]

0: [https://www.nowsecure.com/blog/2015/06/16/remote-code-
execut...](https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-
system-user-on-samsung-phones/)

1:
[https://www.youtube.com/watch?v=uvvejToiWrY](https://www.youtube.com/watch?v=uvvejToiWrY)

