Researchers: Damiano Melotti @DamianoMelotti, Maxime Rossi Bellom @max_r_b
CVE-2022-20233: an out of bound write of exactly one byte, that can be set to exactly 1, at a limited offset from a pointer on the stack. Despite significant constraints, this vulnerability was enough to obtain code execution on the Titan M chip, and leaking some of the secrets it contains.
“We think the bug is particularly interesting because at first it looks like a very minor issue: what can you do by only setting one byte to 1, with all the constraints on the address? However Titan M’s memory layout is completely static, therefore reaching a sensitive global field to overwrite was still possible. By doing that, we change the address where Android Keymaster messages would be stored on the chip, causing a corruption that we leveraged to reach code execution.
This is the first 0-day code execution known on this target, and by exploiting it we managed to leak most of the secrets stored in the secure chip, including Strongbox keys.