
Samsung patches 0-click vulnerability impacting all smartphones sold since 2014 - aspenmayer
https://www.zdnet.com/article/samsung-patches-0-click-vulnerability-impacting-all-smartphones-sold-since-2014/
======
aspenmayer
SVE-2020-16747
[https://security.samsungmobile.com/securityUpdate.smsb](https://security.samsungmobile.com/securityUpdate.smsb)

CVE-2020-8899 [https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-8899](https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-8899)

From the issues page:

Q: What privileges does the attacker gain in the system after a successful
attack?

A: The vulnerable codec executes in the context of the attacked app processing
input images, so the attacker also gets the privileges of that app. In the
case of my demo, that's Samsung Messages, which has access to a variety of
personal user information: call logs, contacts, microphone, storage, SMS etc.

While not explicitly tested, I also strongly suspect that local privilege
escalation may be possible with the help of these bugs. For example, the
highly privileged System UI process may display arbitrary images supplied by
other apps in notifications, and I have observed it crash in Qmage-related
code a number of times in my experimentation.

===

Q: Have you tested any attack vectors other than MMS?

A: I haven't devised any end-to-end attacks similar to that via MMS, but as
noted in the original bug report, all apps in the system which display
untrusted images with the standard Bitmap interfaces are affected by these
issues. For example, I have confirmed that the Qmage file which is used as the
final payload to get a reverse shell via MMS, also gives the attacker remote
access when it is copied to the device's file system and opened with the
Gallery app.

===

Q: Are there any mitigations available to users against this and similar
attacks, other than updating regularly?

A: For Samsung devices, these issues are fixed in the May 2020 patch.
Generally speaking of image codecs, I am not aware of any generic mitigations
against these types of bugs. One easy way to mitigate against attackers using
exploits delivered specifically through MMS is to disable the "auto retrieve"
option for multimedia messages in the Messages app.

From Mateusz Jurczyk of Google Project Zero‘s YouTube page:

[https://www.youtube.com/watch?v=nke8Z3G4jnc](https://www.youtube.com/watch?v=nke8Z3G4jnc)

‘This video demonstrates the exploitation of a vulnerability in the custom
Samsung Qmage image codec via MMS. The exploit proof-of-concept achieves
remote code execution with no user interaction on a Samsung Galaxy Note 10+
phone running Android 10 (February 2020 patch level).

‘Vulnerabilities in the Qmage format were reported by the Google Project Zero
team to Samsung in January 2020, and were addressed in the Samsung May 2020
Security Bulletin as SVE-2020-16747. The bugs were also collectively assigned
CVE-2020-8899.

‘For more details, see: * [https://bugs.chromium.org/p/project-
zero/issues/detail?id=20...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=2002) \- the original in-depth report discussing the
codec and security issues. It also includes an FAQ section outlining how the
exploit works. *
[https://github.com/googleprojectzero/SkCodecFuzz](https://github.com/googleprojectzero/SkCodecFuzz)
[currently 404] - source code of the fuzzing harness used to identify the
crashes. *
[https://security.samsungmobile.com/securityUpdate.smsb](https://security.samsungmobile.com/securityUpdate.smsb)
\- Samsung Security Updates website.’

