Smokey's Security Weblog

veritas odium parit

Extremely critical vulnerability Samsung Android Exynos4 based devices [CONFIRMED]

ExynosAbuse Exploit: obtaining root on Exynos4 based Samsung Android devices without ODIN flashing, malicious apps will be able to gain total control over the device by gaining root without asking and without any permissions on a vulnerable device.

Source: XDA Developers (alephzain, Chainfire)

– alephzain:
– Chainfire:

Samsung solution status: unfixed

Vulnerable devices:

– Samsung Galaxy S2 GT-I9100

– Samsung Galaxy S3 GT-I9300
– Samsung Galaxy S3 LTE GT-I9305

– Samsung Galaxy Note GT-N7000

– Samsung Galaxy Note 2 GT-N7100
– Samsung Galaxy Note 2 LTE GT-N7105
– AT&T Galaxy Note 2 SGH-I317
– Verizon Galaxy Note 2 SCH-I605

– Samsung Galaxy Tab Plus GT-P6210

– Samsung Galaxy Note 10.1 GT-N8000, GT-N8010, GT-N8013, GT-N8020

Note: Google Nexus 10 not vulnerable, Exynos5.

Temporary patch (provided by Chainfire):

Note: Chainfire requested not to redistribute the patch, instead please link to

Update Dec 20 2012

Android Central | Dec 19 2012

Official Samsung Statement Exynos kernel vulnerability issue (in full)

“Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible.

The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications.

Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices”

Third-party fixes

I will only mention Chainfire’s fix. It’s the only one that is secure. Both Supercurio’s and RyanZA’s method leave you with easily exploitable holes any serious malware author will abuse.

About Chainfire’s fix

Chainfire: “This is an APK that uses the ExynosAbuse exploit (by alephzain) to be able to do various things on your Exynos4 based device.

Features for non-rooters:
– Securely patch the exploit

Features for rooters:
– Root the device (SuperSU v0.99)
– Enable/disable the exploit at will
– Enable/disable patching the exploit at boot
– Unroot and cleanup (optionally leaving the exploit patch at boot in place)

Please note that patching the exploit may break camera functionality, depending on device and firmware. Also note that if use the patch method without rooting, or keep patching the exploit at boot enabled when unrooting, you need an alternate method to re-root the device to disable this feature (like CF-Auto-Root) – you cannot use ExynosAbuse to do this since it patched the exploit. Unlike other patch authors, I do not believe in keeping an invisible rooted process running in the background while pretending you aren’t rooted, to be able to unpatch this way.

While the exploit patches work (aside from possibly disabling your camera), these are more work-around than actual fixes. A proper patch would be a kernel fix, either from a third party or Samsung themselves”

Download the fix here:

Note: please do not redistribute the fix!

December 17, 2012 Posted by | Advisories, Alerts, Anti-Virus, Malware, News, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment