Android 7 9 VideoPlayer ihevcd_parse_pps Out-of-Bounds Write

2019.07.17

Credit: hevc

Risk: High

Local: No

Remote: Yes

CVE: CVE-2019-2107

CWE: CWE-787

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
More infos
LineageOS (Android):
02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Error parsing NAL unit #5.
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
mplayer (laptop)
id: 0
[hevc @ 0x7f0bf58a7560]Decoding VPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding SPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding VUI
[hevc @ 0x7f0bf58a7560]Decoding PPS
[hevc @ 0x7f0bf58a7560]Invalid tile widths.
[hevc @ 0x7f0bf58a7560]Decoding SEI
[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
Error while decoding frame!
This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
So the check are there.
On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
I have the google codec:
OMX.google.hevc.decoder
I am wondering however why it does not crash ....
Attaching the video (videopoc.mp4) that should trigger this condition:
if (value >= ps_sps->i2_pic_wd_in_ctb - start)
+ {
+ return IHEVCD_INVALID_HEADER;
+ }
Maybe somebody have more luck.
More infos 2
Whoooo hooo .... made it :)
Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
07-13 21:50:59.000 3351 3351 I /system/bin/tombstoned: received crash request for pid 24089
07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9'
07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64'
07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor >>> mediaextractor <<<
07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36 x1 0000000000000000 x2 00000000000000f0 x3 0000000000000001
07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001 x5 0000007ccb5df1b8 x6 0000007cc927363e x7 0000007cc8e7bd04
07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170 x9 0000000000004160 x10 00000000ffffffff x11 0000007ccb7fbef0
07-13 21:50:59.010 24089 24089 F DEBUG : x12 0000007ccb5d3ce0 x13 000000000000001e x14 0000000000000003 x15 0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x16 0000007cc99f5f50 x17 0000007ccb88885c x18 0000007ccb566225 x19 0000007ccb562020
07-13 21:50:59.010 24089 24089 F DEBUG : x20 0000007ccb4f18a0 x21 0000007ccb468c6c x22 0000000000000000 x23 0000000000000006
07-13 21:50:59.010 24089 24089 F DEBUG : x24 000000000000001e x25 0000000000000094 x26 0000000000004160 x27 0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x28 0000007ccb55e750 x29 0000007fd6d39d90 x30 0000007cc99c4438
07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20 pc 0000007cc99c44c4 pstate 0000000080000000
07-13 21:50:59.013 24089 24089 F DEBUG :
--
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Android 7 9 VideoPlayer ihevcd_parse_pps Out-of-Bounds Write

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.