QualComm TrustZone MasterKeys extracted?

Kindly pointed out by a reader of the blog, laginimaineb has some more research going on for QualComm TrustZone, sounds non-trivial:

[Grr, when I paste an URL of a Twitter tweet, WordPress usually renders it, today, it is not, maybe it will before it posts it, unsure. I’ve extracted the text from the Tweets in case it does not.]

Just managed to extract the Qualcomm KeyMaster keys directly from TrustZone! Writeup coming soon 🙂 (1/2)

And wrote a script to decrypt all keystore keys. This can also be used to bruteforce the FDE passphrase off the device! (2/2)

This specifically is done on the Nexus 6, but I’ve also dabbled w/ the Nexus 5 and Moto X 2nd Gen

https://mobile.twitter.com/laginimaineb/status/737051964857561093
https://mobile.twitter.com/laginimaineb/status/737052350674817024
https://mobile.twitter.com/laginimaineb/status/737185999760052224
https://mobile.twitter.com/laginimaineb/status/737186295655596032
https://mobile.twitter.com/laginimaineb/status/737188674371215360

More info:
https://mobile.twitter.com/laginimaineb
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.co.il/2016/05/qsee-privilege-escalation-vulnerability.html
http://bits-please.blogspot.com/

Zero perms to TrustZone: Android mediaserver CVEs discussion

https://pbs.twimg.com/media/CZgC2lkUEAA16RP.png:large

Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921)

In this blog post we’ll go over two vulnerabilities I discovered which, when combined, enable arbitrary code execution within the “mediaserver” process from any context, requiring no permissions whatsoever. How bad is it? The first vulnerability (CVE-2014-7921) was present in all Android version from 4.0.3 onwards. The second vulnerability (CVE-2014-7920) was present in all Android versions from 2.2 (!). Also, these vulnerabilities are not vendor specific and were present in all Android devices. Since the first vulnerability is only needed to bypass ASLR, and ASLR is only present (in a meaningful form) from Android 4.1 onwards, this means that these vulnerabilities allow code execution within “mediaserver” on any Android device starting from version 2.2. Although I reported both vulnerabilities in mid October 2014, they were unfortunately only fixed much later (see “Timeline” for full description, below) – in Android version 5.1!  This means that there are many devices out there which are still vulnerable to these issues, so please take care. You can find the actual patches here. The patches were pushed to AOSP five months after the vulnerabilities were reported. That said, the Android security team was very pleasant to work with, and with other vulnerabilities I reported later on, were much more responsive and managed to solve the issues within a shorter time-frame.
[…]

Full post:
http://bits-please.blogspot.com/2016/01/android-privilege-escalation-to.html

Sigh, it seem harder to track ARM firmware bugs, since they’re often hidden in the description of an app bug. And SCAP has no firmware OVAL definitions for CVEs to mention things like TrustZone. 😦