Stack buffer overflow and information disclosure in OTP TrustZone trustlet via OTP_GET_CRYPTO_DERIVED_KEY
As a part of the KNOX extensions available on Samsung devices, Samsung provides a TrustZone trustlet which allows the generation of OTP tokens.
The tokens are generated in a TrustZone application within the TEE (UID: fffffffff0000000000000000000001e), which can be communicated with using the "OTP" service, published by "otp_server".
The command "OTP_GET_CRYPTO_DERIVED_KEY" allows the user to generate a key using a KDF which is based on a previously unwrapped OTP token. However, after unwrapping the supplied OTP token, the command fails to validate the derived key length field (at offset 1128 in the request buffer). This argument is then passed on to the KDF, and may be arbitrarily large.
Supplying a large value for the derived key length field will cause the KDF function to overwrite the destination buffer with the derived key bytes. As the destination buffer in located on the stack, this will allow the attack to overwrite important stack data.
Since HMAC-SHA1/HMAC-SHA256 are PRFs and the password in the token is unknown to the attacker, this issue would be harder to exploit on its own (would require to blindly brute-force the destination bytes). However, the "otp_get_crypto_derived_key" function also contains an information disclosure vulnerability that would allow the attacker to leak the derived key for each attempt.
After calling the KDF, the aforementioned length field is used as the length argument in a "memcpy" call which copies the generated bytes into the user's response buffer, thus leaking the generated bytes back to the Non-Secure World.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: laginimaineb