0-Click RCE Vulnerability in Samsung Smartphones Let Attackers Trigger OOB Write – Technical Analysis
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
Google Security researchers have disclosed a critical vulnerability, tagged as CVE-2024-49415, affecting Samsung smartphones last year and reported to Samsung with a 90-day deadline to patch.
This zero-click remote code execution (RCE) flaw originates from an out-of-bounds (OOB) write in the libsaped.so library, specifically in the decoder for Monkey’s Audio (APE) files.
The vulnerability impacts Samsung devices running Android 12, 13, and 14, including the Galaxy S24 and S23 models.
Vulnerability Exploitation Details:
The issue resides in the saped_rec function of the libsaped.so library. Monkey’s Audio is a lossless audio data compression algorithm supported by various media players.
According to the investigation, the vulnerability occurs due to improper handling of fields from the APE file’s Header Block, allowing an overflow on allocated buffers.
Samsung’s media service, samsung.software.media.c2, allocates a fixed-size buffer (dmabuf) with a capacity of 0x120000 during media streaming.
However, when decoding APE files, the buffer copies certain fields (e.g., blocksperframe) without proper validation. If the bytes per sample is set to 24, it allows up to 3 * blocksperframe to be copied—exceeding the buffer’s capacity and causing memory corruption.
The vulnerability is exploitable in scenarios where Rich Communication Services (RCS) is enabled, which is the default configuration for affected devices.
An attacker can craft a malicious APE file embedded in an RCS voice message. Upon receipt of the message, the transcription service automatically decodes the audio, triggering the vulnerability without requiring user interaction—a characteristic of a zero-click exploit.
The APE file format uses a structure defined in the Descriptor Block and Header Block, which contains metadata for audio compression. The vulnerability specifically exploits improper handling of block size parameters in this structure. The following fields in the APE format were identified as relevant:
typedef struct APEContext { uint32_t blocksperframe; uint16_t bps; // Bytes per sample /* Other fields omitted for brevity */ } APEContext;
While the decoder limits blocksperframe to a maximum of 0x120000, the corrupted calculation (3 * blocksperframe) caused by the 24 bytes-per-sample setting bypasses this limit, enabling an attacker to trigger an OOB write.
The vulnerability underscores the risks associated with modern smartphone features that process media automatically, especially in services like messaging apps. Samsung is expected to address this issue in its upcoming Security Maintenance Release (SMR-2024).
#Cyber_Security_News #Vulnerability #Vulnerability_News #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
0-Click RCE Vulnerability in Samsung Smartphones Let Attackers Trigger OOB Write – Technical Analysis
Author: Balaji NGoogle Security researchers have disclosed a critical vulnerability, tagged as CVE-2024-49415, affecting Samsung smartphones last year and reported to Samsung with a 90-day deadline to patch.
This zero-click remote code execution (RCE) flaw originates from an out-of-bounds (OOB) write in the libsaped.so library, specifically in the decoder for Monkey’s Audio (APE) files.
The vulnerability impacts Samsung devices running Android 12, 13, and 14, including the Galaxy S24 and S23 models.
Vulnerability Exploitation Details:
The issue resides in the saped_rec function of the libsaped.so library. Monkey’s Audio is a lossless audio data compression algorithm supported by various media players.
According to the investigation, the vulnerability occurs due to improper handling of fields from the APE file’s Header Block, allowing an overflow on allocated buffers.
Samsung’s media service, samsung.software.media.c2, allocates a fixed-size buffer (dmabuf) with a capacity of 0x120000 during media streaming.
However, when decoding APE files, the buffer copies certain fields (e.g., blocksperframe) without proper validation. If the bytes per sample is set to 24, it allows up to 3 * blocksperframe to be copied—exceeding the buffer’s capacity and causing memory corruption.
The vulnerability is exploitable in scenarios where Rich Communication Services (RCS) is enabled, which is the default configuration for affected devices.
An attacker can craft a malicious APE file embedded in an RCS voice message. Upon receipt of the message, the transcription service automatically decodes the audio, triggering the vulnerability without requiring user interaction—a characteristic of a zero-click exploit.
The APE file format uses a structure defined in the Descriptor Block and Header Block, which contains metadata for audio compression. The vulnerability specifically exploits improper handling of block size parameters in this structure. The following fields in the APE format were identified as relevant:
typedef struct APEContext { uint32_t blocksperframe; uint16_t bps; // Bytes per sample /* Other fields omitted for brevity */ } APEContext;
While the decoder limits blocksperframe to a maximum of 0x120000, the corrupted calculation (3 * blocksperframe) caused by the 24 bytes-per-sample setting bypasses this limit, enabling an attacker to trigger an OOB write.
The vulnerability underscores the risks associated with modern smartphone features that process media automatically, especially in services like messaging apps. Samsung is expected to address this issue in its upcoming Security Maintenance Release (SMR-2024).
#Cyber_Security_News #Vulnerability #Vulnerability_News #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
