android 7 9 videoplayer ihevcd_parse_pps outofbounds write

▸▸▸ Exploit & Vulnerability >>   dos exploit & android vulnerability




Online Vulnerability Scanner Tools
android 7 9 videoplayer ihevcd_parse_pps outofbounds write Code Code... 
				
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve


More infos
LineageOS (Android):

02-11 20:18:48.238   260   260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Error parsing NAL unit #5.
02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
mplayer (laptop)

id: 0
[hevc @ 0x7f0bf58a7560]Decoding VPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding SPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding VUI
[hevc @ 0x7f0bf58a7560]Decoding PPS
[hevc @ 0x7f0bf58a7560]Invalid tile widths.
[hevc @ 0x7f0bf58a7560]Decoding SEI
[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
Error while decoding frame!
This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526

So the check are there.

On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.

https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/

I have the google codec:

OMX.google.hevc.decoder

I am wondering however why it does not crash ....

Attaching the video (videopoc.mp4) that should trigger this condition:

if (value >= ps_sps->i2_pic_wd_in_ctb - start)
+                        {
+                            return IHEVCD_INVALID_HEADER;
+                        }
Maybe somebody have more luck.

More infos 2
Whoooo hooo .... made it :)

Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.

Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.

07-13 21:50:59.000  3351  3351 I /system/bin/tombstoned: received crash request for pid 24089
07-13 21:50:59.006 24089 24089 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-13 21:50:59.006 24089 24089 F DEBUG   : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
07-13 21:50:59.006 24089 24089 F DEBUG   : Revision: '9'
07-13 21:50:59.006 24089 24089 F DEBUG   : ABI: 'arm64'
07-13 21:50:59.006 24089 24089 F DEBUG   : pid: 24089, tid: 24089, name: media.extractor  >>> mediaextractor <<<
07-13 21:50:59.006 24089 24089 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
07-13 21:50:59.009 24089 24089 F DEBUG   :     x0   00000000ffffff36  x1   0000000000000000  x2   00000000000000f0  x3   0000000000000001
07-13 21:50:59.009 24089 24089 F DEBUG   :     x4   0000000000000001  x5   0000007ccb5df1b8  x6   0000007cc927363e  x7   0000007cc8e7bd04
07-13 21:50:59.009 24089 24089 F DEBUG   :     x8   0000000000004170  x9   0000000000004160  x10  00000000ffffffff  x11  0000007ccb7fbef0
07-13 21:50:59.010 24089 24089 F DEBUG   :     x12  0000007ccb5d3ce0  x13  000000000000001e  x14  0000000000000003  x15  0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG   :     x16  0000007cc99f5f50  x17  0000007ccb88885c  x18  0000007ccb566225  x19  0000007ccb562020
07-13 21:50:59.010 24089 24089 F DEBUG   :     x20  0000007ccb4f18a0  x21  0000007ccb468c6c  x22  0000000000000000  x23  0000000000000006
07-13 21:50:59.010 24089 24089 F DEBUG   :     x24  000000000000001e  x25  0000000000000094  x26  0000000000004160  x27  0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG   :     x28  0000007ccb55e750  x29  0000007fd6d39d90  x30  0000007cc99c4438
07-13 21:50:59.010 24089 24089 F DEBUG   :     sp   0000007fd6d39d20  pc   0000007cc99c44c4  pstate 0000000080000000
07-13 21:50:59.013 24089 24089 F DEBUG   : 
--


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip

Android 7 9 videoplayer ihevcd_parse_pps outofbounds write Vulnerability / Exploit Source : Android 7 9 videoplayer ihevcd_parse_pps outofbounds write



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.