Exploit Test — Samsung S6 &S7 Arbitrary file read/write on locked device via mtp
A vulnerability in the Media Transfer Protocol (MTP) as implemented by Samsung results file read/write access. The vulnerability was identified by Salvatore Mesoraca (https://smeso.it) and reported to the vendor in August 2017. The vulnerability is caused by Samsung failing to properly implement access controls on a locked device.
When a device is locked the MTP stops reporting which storage devices are available. The Samsung devices reports 0 storage but does not block direct requests to known storage devices. The exploit simply iterates through IDs and accesses the devices directly.
Samsung has addressed the issue by releasing a patch for SVE-2017–10086 in their November 2017 update:
An attacker requires physical access to the device to execute the attack over USB. The exploit is able to download files from the attached phone even when the lock screen is enabled.
Possible attack vectors include rogue charge stations or modified public ones like the one below:
Existing charging stations could be modified the way ATMs skimmers are bu using something like the teensy
The exploit can, of course, also be executed using a computer.
Salvatore Mesoraca has released the source code to an exploit on his github account (https://github.com/smeso/MTPwn). The exploit is able to retrieve a directory listing of all accessible files, download one random file, and upload a target file to an arbitrary location. The exploit could easily be modified to download all accessible files.
I’ve tested both the Samsung S6 and S7 edge in the lab. The following screenshots show the attack is successful on both devices.
read more on here: