Google Android RCE Bug Allows Attacker Full Device Access

The vulnerability is one of 39 affecting various aspects of the mobile OS that the company fixed in a security update this week.
Google has patched a vulnerability in its Android OS that could allow attackers to completely take over someone’s device to install programs, steal or change data, or create new accounts with full privileges.
The flaw (CVE-2020-0103) was one of 39 vulnerabilities affecting Android OS builds that use older security profiles and are spread throughout various components of Android that the company fixed in its latest security patch, according to a security bulletin published Monday.
The vulnerabilities pose a high risk for consumers as well as business and government institution users, the company said. However, the most critical of these—found in the System component of Android–could allow for remote code execution (RCE), depending on the existing privileges on the device, according to Google.
“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” the company wrote in the bulletin.
However, the potential for exploitation depends on the privilege status of an application, according to the Center for Internet Security’s (CIS’s) advisory on the flaw.
“If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” according to the post.
These vulnerabilities could be exploited through multiple methods such as email, web browsing and multimedia services (MMS) when processing media files, CIS explained in its post.
“Depending on the privileges associated with the application, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” according to the post. However, so far none of the vulnerabilities patched in the update have been exploited in the wild, according to CIS.
The critical flaw was one of eight that Google patched for the System component of Android. The rest of the flaws were rated high-severity, except for one, which was rated moderate.
Google also patched a critical flaw in Android’s Framework component, CVE-2020-0096, that could enable a local attacker to execute arbitrary code within the context of a privileged process, the company said. The vulnerability was one of three patched in this component, the other two of which had a severity rating of high.
The only other critical vulnerability patched was a critical security vulnerability, CVE-2020-3641, found in the Qualcomm closed-source components. The flaw was one of 10 patched in these components, the rest of which were rated as high severity.
The security update also fixes four high-severity vulnerabilities in Android’s Media framework; eight high-severity vulnerabilities in Qualcomm components; four high-severity flaws in MediaTek components; and two high-severity vulnerabilities in Android Kernel components.
While the Android security platform and service protections such as Google Play Protect “reduce the likelihood that security vulnerabilities could be successfully exploited on Android,” Google recommended that Android users install the latest security patch just to be on the safe side.
Indeed, Google has historically struggled with the spread of malware via Android apps being downloaded from the Google Play store and has made a concerted effort in the last year and a half to try to stay on top of it.
Still, malware on the platform persists. Just last week researchers discovered a new Android mobile malware called EventBot that steals payment data from users of popular financial apps like PayPal, Barclays, CapitalOne and more.

Source: ThreatPost
No comments:
Labels: , , , ,

WhatsApp MP4 Videos Flaw allows Hackers to execute Code Remotely

NEW BUG ON WHATSAPP BASED ON MP4 VIDEOS FLAWS
A new bug on Whatsapp, based on MP4 videos flaws, has been revealed by Facebook. This vulnerability could lead to denial of service attacks or remote code execution. Facebook has revealed the existence of a serious vulnerability resulting a potential remote code execution attacks in Whatsapp messaging software. Last week, the tech giant said in a security advisory that the Whatsapp bug, known as CVE-2019-11931, is a stack-based buffer overflow issue that can be triggered by attackers sending .MP4 video files to the victims.
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.
Description
A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.
Although there are not many technical details available, Facebook has presented this problem as being caused by the way the application parses MP4 elementary stream metadata. If exploited, the vulnerability can lead to denial of service (DoS) or remote code execution (RCE) attacks.
PROOF OF CONCEPT
In October, a Awakened a cybersecurity researcher discovered a free dual vulnerability, CVE-2019-11932, that could be used in attacks to compromise chat sessions, files, and messages. This double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service.
When a WhatsApp user opens Gallery view in WhatsApp to send a media file, WhatsApp parses it with a native library called libpl_droidsonroids_gif.so to generate the preview of the GIF file. libpl_droidsonroids_gif.so is an open-source library with source codes available at Github.
A GIF file contains multiple encoded frames. To store the decoded frames, a buffer with name rasterBits is used. If all frames have the same size, rasterBits is re-used to store the decoded frames without re-allocation. However, rasterBits would be re-allocated if one of three conditions below is met:
  • Width height > originalWidth originalHeight
  • Width - originalWidth > 0
  • Height - originalHeight > 0
Re-allocation is a combination of free and malloc. If the size of the re-allocation is 0, it is simply a free. Let say we have a GIF file that contains 3 frames that have sizes of 100, 0 and 0.
  • After the first re-allocation, we have info->rasterBits buffer of size 100.
  • In the second re-allocation of 0, info->rasterBits buffer is freed.
  • In the third re-allocation of 0, info->rasterBits is freed again.
This results in a double-free vulnerability. The triggering location can be found in decoding.c:
int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth;
int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight;
const uint_fast32_t newRasterSize =
        gifFilePtr->Image.Width * gifFilePtr->Image.Height;
if (newRasterSize > info->rasterSize || widthOverflow > 0 ||
    heightOverflow > 0) {
    void *tmpRasterBits = reallocarray(info->rasterBits, newRasterSize,
                                       sizeof(GifPixelType));
    if (tmpRasterBits == NULL) {
        gifFilePtr->Error = D_GIF_ERR_NOT_ENOUGH_MEM;
        break;
    }
    info->rasterBits = tmpRasterBits;
    info->rasterSize = newRasterSize;
}
Another set of interesting vulnerabilities in the email application was revealed by Check Point a month ago. The set of bugs "could allow the actors of the threat to intercept and manipulate messages sent in private and group conversations," said the researchers, and could be used as a weapon to exploit the functions of the "quote" group, answers and private messages. More information about this vulnerability can be found in the article (POC) wrote by Awakened.
A NECESSARY UPDATE
Users are advised to update their software versions to mitigate the risk of exploitation. However, there do not appear to be any reports of vulnerability exploited actively in the wild. Whatsapp is constantly working to improve the security of our service, said a Facebook spokesman. "We publish public reports on potential issues that we have resolved, in line with industry best practices, in which case there is no reason to believe that users have been affected," said the American giant.

Source: @neoslab
No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)