In the Qmage image processor supplied in Samsung Android firmware, which is built into the Skia graphics rendering system, (CVE-2020-8899), which allows you to organize the execution of code when processing images in QM and QG formats (".qmg") in any application. To carry out an attack, the user does not need to perform any actions; in the simplest case, it is enough to send the victim an MMS, email or chat message containing a specially designed image.
The problem is believed to have been present since 2014, starting with firmwares based on Android 4.4.4, which were modified to work with additional image formats QM, QG, ASTC and PIO (PNG variant). Vulnerability Π² Samsung firmware released on May 6th. The main Android platform and firmware from other manufacturers are not affected by the problem.
The problem was identified during fuzz testing by a Google engineer who also proved that the vulnerability is not limited to a crash and prepared a working prototype of an exploit that bypasses ASLR protection and launches a calculator by sending a series of MMS messages to a Samsung Galaxy Note 10+ smartphone running the platform. Android 10.
In the example shown, successful exploitation took approximately 100 minutes to attack and send more than 120 messages. The exploit consists of two parts - at the first stage, to bypass ASLR, the base address is determined in the libskia.so and libhwui.so libraries, and at the second stage, remote access to the device is provided by launching the βreverse shellβ. Depending on the memory layout, determining the base address requires sending from 75 to 450 messages.
Additionally, it can be noted May's Android Security Rollup, which fixes 39 vulnerabilities. Three problems have been assigned a critical level of danger (details have not yet been disclosed):
- CVE-2020-0096 is a local vulnerability that allows code to be executed when processing a specially crafted file);
- CVE-2020-0103 is a remote vulnerability in the system that allows code to be executed when processing specially formatted external data);
- CVE-2020-3641 - Vulnerability in Qualcomm proprietary components).
Source: opennet.ru