扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve More infos LineageOS (Android): 02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08 02-11 20:18:48.239 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths. 02-11 20:18:48.239 260 260 I FFMPEG: [hevc @ 0xb348f000] PPS id out of range: 0 02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths. 02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] PPS id out of range: 0 02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Error parsing NAL unit #5. 02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths. mplayer (laptop) id: 0 [hevc @ 0x7f0bf58a7560]Decoding VPS [hevc @ 0x7f0bf58a7560]Main profile bitstream [hevc @ 0x7f0bf58a7560]Decoding SPS [hevc @ 0x7f0bf58a7560]Main profile bitstream [hevc @ 0x7f0bf58a7560]Decoding VUI [hevc @ 0x7f0bf58a7560]Decoding PPS [hevc @ 0x7f0bf58a7560]Invalid tile widths. [hevc @ 0x7f0bf58a7560]Decoding SEI [hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5 [hevc @ 0x7f0bf58a7560]PPS id out of range: 0 [hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5. Error while decoding frame! This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526 So the check are there. On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer. https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/ I have the google codec: OMX.google.hevc.decoder I am wondering however why it does not crash .... Attaching the video (videopoc.mp4) that should trigger this condition: if (value >= ps_sps->i2_pic_wd_in_ctb - start) +{ +return IHEVCD_INVALID_HEADER; +} Maybe somebody have more luck. More infos 2 Whoooo hooo .... made it :) Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players. Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload. 07-13 21:50:59.00033513351 I /system/bin/tombstoned: received crash request for pid 24089 07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys' 07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9' 07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64' 07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor>>> mediaextractor <<< 07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050 07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36x1 0000000000000000x2 00000000000000f0x3 0000000000000001 07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001x5 0000007ccb5df1b8x6 0000007cc927363ex7 0000007cc8e7bd04 07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170x9 0000000000004160x1000000000ffffffffx110000007ccb7fbef0 07-13 21:50:59.010 24089 24089 F DEBUG : x120000007ccb5d3ce0x13000000000000001ex140000000000000003x150000000000000001 07-13 21:50:59.010 24089 24089 F DEBUG : x160000007cc99f5f50x170000007ccb88885cx180000007ccb566225x190000007ccb562020 07-13 21:50:59.010 24089 24089 F DEBUG : x200000007ccb4f18a0x210000007ccb468c6cx220000000000000000x230000000000000006 07-13 21:50:59.010 24089 24089 F DEBUG : x24000000000000001ex250000000000000094x260000000000004160x270000000000000001 07-13 21:50:59.010 24089 24089 F DEBUG : x280000007ccb55e750x290000007fd6d39d90x300000007cc99c4438 07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20pc 0000007cc99c44c4pstate 0000000080000000 07-13 21:50:59.013 24089 24089 F DEBUG : -- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47119.zip |
体验盒子
