A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

This document details a three-vulnerability exploit chain targeting Samsung devices, discovered in late 2020. The first vulnerability allowed arbitrary file read/write via a clipboard provider, which was used to write and execute a malicious ELF file. The second vulnerability leaked kernel addresses through a custom Samsung logging feature, bypassing KASLR. The third vulnerability was a use-after-free in the Display Processing Unit driver, enabling arbitrary kernel read and write. The exploit chain utilized Samsung's Text-to-Speech application to gain system privileges and the Mali GPU driver for heap manipulation. Samsung patched these vulnerabilities in March 2021. The document highlights the importance of in-the-wild exploit samples for understanding attacker techniques and improving defenses. It also discusses Samsung's commitment to publicly disclosing when vulnerabilities are exploited in-the-wild. The analysis reveals how the exploit leveraged Samsung-specific customizations and drivers, emphasizing the security implications of device manufacturer modifications to Android.