Samsung released this week a security patch that addresses a critical vulnerability, tracked as CVE-2020-8899, impacting all smartphones sold since 2014. The flaw is tracked as SVE-2020-16747 in the Samsung security bulletin.
“A possible memory overwrite vulnerability in Quram qmg library allows possible remote arbitrary code execution. The patch adds the proper validation to prevent memory overwrite.” reads the advisory published by Samsung.
The vulnerability resides in the Skia Android graphics library and affects the way Android OS running on Samsung devices handles the custom Qmage image format (.qmg).
The flaw was discovered by white-hat hacker Mateusz Jurczyk from Google’s Project Zero team, an attacker can exploit the issue without user interaction.
The Skia library directly processes every image sent to an Android device, it is a remotely accessible interactionless attack surface on Android devices.
The issue only impacted Samsung devices because the vendor has implemented the support for custom Qmage image format in the Android OS version running on its devices.
Jurczyk developed a proof-of-concept exploit code that exploits the issues using an image sent through the Samsung Messages app that handled SMS and MMS messages on all Samsung devices.
“For instance, in my testing, the default Samsung Messages app processes the contents of incoming MMS messages without any user interaction, and I expect that other similar attack vectors exist.” reads the analysis published by the expert. “Given its exposure and the fact that it is written in C++, Skia and its image-related components constitute remotely accessible interactionless attack surface on Android, potentially prone to memory safety issues. The relevant code is found in the libskia.so or libhwui.so system libraries.”
Jurczyk exploited the bug by sending a sequence of MMS ‘probe’ messages to a Samsung device with the intent of guessing the position of the Skia library in the Android phone’s memory. The expert explained that the final goal is to bypass Android’s ASLR (Address Space Layout Randomization) protection.
“A majority of the attack is spent defeating ASLR, which is achieved by continuously sending “probe” MMS’ which leak whether a specific address range is mapped or not. By taking advantage of several weaknesses of the ASLR implementation in Android, I managed to reduce the number of necessary probes to a relatively small number: 86 in the case of the public demo.” continues the report.
“Each probe causes a crash of the Messages app, and Android enforces a 60-second cooldown between subsequent crashes of the same program for it to be allowed to be restarted again. So the lower bound of attack run time is the number of necessary probes expressed in minutes. Taking some extra overhead into consideration, the 86-probe attack ran in ~100 minutes as expected.”
Upon determining the position of the Skia library in the device memory, the last MMS delivers the malicious Qmage payload, which then executed the attacker’s code.
The expert demonstrated that in order to bypass the ASLR the attacker have to send between 50 and 300 MMS probe messages, the overall process takes around 100 minutes, on average.
“The video shows a proof of concept exploit and makes no attempt to be silent or stealthy. However after some brief experimentation, I have found ways to get MMS messages fully processed without triggering a notification sound on Android, so fully stealth attacks might be possible.” concludes the report.
Samsung addressed the flaw with the release of the May 2020 security updates.
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Samsung Android, hacking)