History is littered with hundreds of conflicts over the future of a community, group, location or business that were "resolved" when one of the parties stepped ahead and destroyed what was there. With the original point of contention destroyed, the debates would fall to the wayside. Archive Team believes that by duplicated condemned data, the conversation and debate can continue, as well as the richness and insight gained by keeping the materials. Our projects have ranged in size from a single volunteer downloading the data to a small-but-critical site, to over 100 volunteers stepping forward to acquire terabytes of user-created data to save for future generations.
The main site for Archive Team is at archiveteam.org and contains up to the date information on various projects, manifestos, plans and walkthroughs.
This collection contains the output of many Archive Team projects, both ongoing and completed. Thanks to the generous providing of disk space by the Internet Archive, multi-terabyte datasets can be made available, as well as in use by the Wayback Machine, providing a path back to lost websites and work.
Our collection has grown to the point of having sub-collections for the type of data we acquire. If you are seeking to browse the contents of these collections, the Wayback Machine is the best first stop. Otherwise, you are free to dig into the stacks to see what you may find.
The Archive Team Panic Downloads are full pulldowns of currently extant websites, meant to serve as emergency backups for needed sites that are in danger of closing, or which will be missed dearly if suddenly lost due to hard drive crashes or server failures.
Check Point researchers discovered the flaws while analyzing the payment system built into Xiaomi smartphones powered by MediaTek chips.
Trusted execution environment (TEE) is an important component of mobile devices designed to process and store sensitive security information such as cryptographic keys and fingerprints.
TEE protection leverages hardware extensions (such as ARM TrustZone) to secure data in this enclave, even on rooted devices or systems compromised by malware.
The most popular implementations of the TEE are Qualcomm's Secure Execution Environment (QSEE) and Trustronic's Kinibi, but most of the devices in the wider Asian market are powered by MediaTek chips, which is less explored by security experts.
The experts explained that on Xiaomi devices, trusted apps are stored in the /vendor/thh/ta directory. The apps are in the format of unencrypted binary file with a specific structure.
Trusted apps of the Kinibi OS have the MCLF format, while Xiaomi uses its own format.
A trusted app can have multiple signatures following the magic fields and the magic fields are the same across all trusted apps on the mobile device.
The researchers noticed that the version control field is omitted in the trusted app's file format, this means that an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file. Using this trick, the TEE will load the app transferred by the attacker.
"Therefore, an attacker can bypass security fixes made by Xiaomi or MediaTek in trusted apps by downgrading them to unpatched versions. To prove the issue, we successfully overwrote the thhadmin trusted app on our test device running MIUI Global 12.5.6.0 OS with an old one extracted from another device running MIUI Global 10.4.1.0 OS." reads the analysis published by Check Point researchers "The old thhadmin app was successfully launched, even though its code is significantly different from the original."
The experts also found multiple flaws in "thhadmin," app that could be exploited to leak stored keys or to execute malicious code in the context of the app.
Check Point researchers have analyzed an embedded mobile payment framework, named Tencent Soter, used by Xiaomi devices. This framework provides an API for third-party Android applications to integrate the payment capabilities. Tencent soter allows to verify payment packages transferred between a mobile application and a remote backend server, it is supported by hundreds of millions Android devices.
A heap overflow vulnerability in the soter trusted app could be exploited to trigger a denial-of-service by an Android app that has no permissions to communicate with the TEE directly.
The researchers demonstrated that it is possible to extract the private keys used to sign payment packages by replacing the soter trusted app with an older version affected by an arbitrary read vulnerability. Xiaomi tracked the issue as CVE-2020-14125.
"This vulnerability [CVE-2020-14125] can be exploited to execute a custom code. Xiaomi trusted apps do not have ASLR. There are examples on the Internet of exploiting such a classic heap overflow vulnerability in Kinibi apps. In practice, our goal is to steal one of the soter private keys, not execute the code. The key leak completely compromises the Tencent soter platform, allowing an unauthorized user to sign fake payment packages." concludes the report.
"To steal a key, we used another arbitrary read vulnerability that exists in the old version of the soter app (extracted from the MIUI Global 10.4.1.0). As noted, we can downgrade the app on Xiaomi devices."
Xiaomi addressed the CVE-2020-14125 vulnerability on June 6, 2022.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs - hacking, mobile)