
Samsung Critical Security Vulnerability: 0-click RCE in All Modern Phones - yamrzou
https://twitter.com/j00ru/status/1258066559765004295
======
est31
> According to my analysis, custom image formats started being introduced by
> Samsung around Android version 4.4.4 in the second half of 2014.

This thread is from 2010 and about the qmg format being used for boot screens:
[https://forum.xda-developers.com/showthread.php?t=792953](https://forum.xda-
developers.com/showthread.php?t=792953)

It might not be network exploitable on older devices, but still troubling.

------
panpanna
SVE-2020-16747: Memory corruption in Quram library with decoding qmg

Severity: Critical

Affected versions: O(8.X), P(9.0), Q(10.0)

Reported on: January 28, 2020

Disclosure status: Privately disclosed.

A possible memory overwrite vulnerability in Quram qmg library allows possible
remote arbitrary code execution.

\---

Note that this came from project zero.

I guess they got tired of finding iOS vulnerabilities and getting crap for it.

------
panpanna
This probably explains why the monthly security patches arrived a bit early on
Samsung deviced this month.

Edit: last time something this bad happened, Samsung surprised everyone by
updating really old note devices. Let's see if they can repeat that.

~~~
executesorder66
I actually got a security update on my note 3 like two days ago.

~~~
panpanna
That was very unexpected!

Note 3 was released in 2013, so Samsung is pushing security patches 7 years
after introduction. That's better than any other company, including Apple!!

------
mschuster91
Oh great, I probably have a vulnerable tablet (SM-T719 if anyone's curious).
However, it's rooted, so no firmware updates for me for years now. And stock
ROMs are almost impossible to download.

Does anyone know how to get this tablet at least somehow secure?

~~~
the_pwner224
You can see if there is an AOSP-based ROM (like LineageOS) available. In
general, unless you need some Samsung-specific software, those are better
anyway since they have less bloatware/spyware since they are just plain
Android.

The attack is in their image processing library, the remote exploit comes from
Samsung's messages app automatically processing MMS attachments. The twitter
thread said that disabling MMS auto-download [or using another MMS app?] will
probably fix that, but there could be other channels that cause the library to
be used.

------
badrabbit
Why haven't all the control flow integrity based exploit mitigation solutions
not gained wider adoption? They would prevent exploitation of RCE like this
right?

[https://en.m.wikipedia.org/wiki/Control-
flow_integrity](https://en.m.wikipedia.org/wiki/Control-flow_integrity)

~~~
fulafel
That's what they said about of all the elements of the currently deployed
tower of mitigations. It's better to replace unsafe codecs with sound
implementations, we've known how to do that for a long time after all.

------
alexandercrohde
Where would I find out if my S6 is going to be patched for this?

------
wegs
Can someone post a TL;DR for those of us who can't watch video?

* What's the vulnerability?

* Has it been patched?

* How do we mitigate it?

~~~
the_pwner224
Android has an image processing library. Samsung added support for some weird
image formats by a Korean company. That is the vulnerable code. The Samsung
messages app automatically downloads MMS attachments and processes them. So
send weird image format via SMS => RCE.

It has been patched in the latest update.

The Twitter thread says that disabling MMS auto download in the messaging app
[or using another MMS app?] should probably fix the 0-click aspect of it, but
would still leave open other channels of exploitation.

~~~
wegs
I have a Samsung phone. It doesn't seem to have an option to automatically
disable MMS downloads, and last patch is from March.

I'm wondering if I'm vulnerable.

