扫码分享
验证:
体验盒子CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
More infos
LineageOS (Android):
02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
02-11 20:18:48.239 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.239 260 260 I FFMPEG: [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Error parsing NAL unit #5.
02-11 20:18:48.240 260 260 I FFMPEG: [hevc @ 0xb348f000] Invalid tile widths.
mplayer (laptop)
id: 0
[hevc @ 0x7f0bf58a7560]Decoding VPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding SPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding VUI
[hevc @ 0x7f0bf58a7560]Decoding PPS
[hevc @ 0x7f0bf58a7560]Invalid tile widths.
[hevc @ 0x7f0bf58a7560]Decoding SEI
[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
Error while decoding frame!
This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
So the check are there.
On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
I have the google codec:
OMX.google.hevc.decoder
I am wondering however why it does not crash ....
Attaching the video (videopoc.mp4) that should trigger this condition:
if (value >= ps_sps->i2_pic_wd_in_ctb - start)
+{
+return IHEVCD_INVALID_HEADER;
+}
Maybe somebody have more luck.
More infos 2
Whoooo hooo .... made it :)
Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
07-13 21:50:59.00033513351 I /system/bin/tombstoned: received crash request for pid 24089
07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9'
07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64'
07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor>>> mediaextractor <<<
07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36x1 0000000000000000x2 00000000000000f0x3 0000000000000001
07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001x5 0000007ccb5df1b8x6 0000007cc927363ex7 0000007cc8e7bd04
07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170x9 0000000000004160x1000000000ffffffffx110000007ccb7fbef0
07-13 21:50:59.010 24089 24089 F DEBUG : x120000007ccb5d3ce0x13000000000000001ex140000000000000003x150000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x160000007cc99f5f50x170000007ccb88885cx180000007ccb566225x190000007ccb562020
07-13 21:50:59.010 24089 24089 F DEBUG : x200000007ccb4f18a0x210000007ccb468c6cx220000000000000000x230000000000000006
07-13 21:50:59.010 24089 24089 F DEBUG : x24000000000000001ex250000000000000094x260000000000004160x270000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x280000007ccb55e750x290000007fd6d39d90x300000007cc99c4438
07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20pc 0000007cc99c44c4pstate 0000000080000000
07-13 21:50:59.013 24089 24089 F DEBUG :
--
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47119.zip
体验盒子
