fuzzing android omx hitcon v2 · • fuzzing combined with code auditing is helpful for such...
TRANSCRIPT
AboutUs• Mingjian Zhou,周明建
– Securityresearcher@360C0REteam– FocusedonAndroidvulnerabilityresearchandexploit
development• Chiachih Wu,吳家志 (@chiachih_wu)
– Securityresearcher@360C0REteam– Android/Linuxsystemsecurityresearch– C0REteam(c0reteam.org)foundingmember
• C0RETeam– Asecurity-focusedgroupstartedinmid-2015– WitharecentfocusontheAndroid/Linuxplatform,theteam
aimstodiscoverzero-dayvulnerabilities,developproof-of-conceptexploits,andexplorepossibledefenses
WhatisOMX(1/2)
• OpenMediaAcceleration,akaOpenMAX,oftenshortenedas“OMX”
• WIKI:anon-proprietaryandroyalty-freecross-platform setof C-language programminginterfaces thatprovidesabstractionsforroutinesespeciallyusefulforaudio,video,andstillimagesprocessing.
OMXinAndroid(1/2)
• OMXIntegrationLayer(IL)– providesastandardizedwayforStagefright torecognizeandusecustomhardware-basedmultimediacodecscalledcomponents.
• VendorsprovidetheOMXpluginwhichlinkscustomcodeccomponentstoStagefright.
• Customcodecsmust beimplementedaccordingtotheOMXILcomponentstandard.
OMXinAndroid(2/2)
Stagefright
VideoOMXComponent
AudioOMXComponent
MediaPlayerService
VideoDriversAudioDrivers
OMXIL
Kernel
MediaServer
SoftA/VCodecs
MusicUserAPPs MMS …
BinderIPC
IOCTL
Binder
OMXCodecs
• Androidprovidesbuilt-insoftwarecodecsforcommonmediaformats
• Vendors’codecs
Built-inSoftCodecsExample VendorCodecsExample
TheAttackSurface(1/2)
Stagefright
VideoOMXComponent
AudioOMXComponent
MediaPlayerService
VideoDriversAudioDrivers
OMXIL
Kernel
MediaServer
SoftA/VCodecs
MusicUserAPPs MMS ……
IOCTL
Binder
BinderIPC
TheAttackSurface(2/2)MediaServer
IOMX
GoogleSoftOMXCodecsSoftVPX
SoftAMR
SoftMP3
SoftG711
…
VendorOMXPlugins
Qcom plugin
Nvidia plugin
MTKplugin
…
OMXNodeInstance
APP
BinderIPC
OMXMaster
OMXInterfaces
• DefinedinIOMXAPI Functions
listNodes ListnamesofallthecodeccomponentallocateNode Createacodeccomponent
allocateBuffer Allocateinput/output buffersforcodec
useBuffer Provide asharebuffertotheserver
emptyBuffer Request(orreceive)anemptyinputbuffer,fillitupwithdataandsendittothecodecforprocessing
fillBuffer Request(orreceive)afilledoutputbuffer,consumeitscontentsandreleaseitbacktothecodec
sendCommand Sendcommandstocodecs, suchaschangingstate,portdisable/enable
getParameter Getcodecs’parameterssetParameter Setcodecs’parameters
FuzzingFlow
Changethecodecstatefromloadedtoidle
Changethecodecstatefromidletoexecuting
Empty/Fill buffers
Freenode
Start
end
Getthedefaultcodecparameters
Selectacomponent fromthenode list
Generatenewparametersandset
Prepareinputportbuffers
Prepareoutputportbuffers
ConfirmedVulnerabilities(1/3)
• By2016/07/07,total21 vulnerabilitiesareconfirmed.– 16 vulnerabilities(15high,1moderate)havebeendisclosedonAndroidSecurityBulletins.
– Otherswillbedisclosedonlater AndroidSecurityBulletins.
• Almostall thecodecsimplementedbyGoogleandvendors(QualComm,Nvidia,MediaTek)arevulnerable.
ConfirmedVulnerabilities(2/3)
NO. CVE AndroidID Codec1 CVE-2016-2450 ANDROID-27569635 GoogleSoftVPXencoder2 CVE-2016-2451 ANDROID-27597103 GoogleSoftVPXdecoder3 CVE-2016-2452 ANDROID-27662364 GoogleSoftAMRdecoder4 CVE-2016-2477 ANDROID-27251096 QcomlibOmxVdec5 CVE-2016-2478 ANDROID-27475409 QcomlibOmxVdec6 CVE-2016-2479 ANDROID-27532282 QcomlibOmxVdec7 CVE-2016-2480 ANDROID-27532721 Qcom libOmxVdec8 CVE-2016-2481 ANDROID-27532497 Qcom libOmxVenc9 CVE-2016-2482 ANDROID-27661749 Qcom libOmxVdec10 CVE-2016-2483 ANDROID-27662502 Qcom libOmxVenc
ConfirmedVulnerabilities(3/3)
NO. CVE AndroidID Codec11 CVE-2016-2484 ANDROID-27793163 Google SoftG711decoder12 CVE-2016-2485 ANDROID-27793367 Google SoftGSM decoder13 CVE-2016-2486 ANDROID-27793371 GoogleSoftMP3decoder14 CVE-2016-3747 ANDROID-27903498 Qcom libOmxVenc15 CVE-2016-3746 ANDROID-27890802 Qcom libOmxVdec16 CVE-2016-3765 ANDROID-28168413 Google SoftMPEG2decoder17 CVE-2016-3844 AndroidID-28299517 Notdisclosed yet18 CVE-2016-3835 AndroidID-28920116 Notdisclosed yet19 CVE-2016-3825 AndroidID-28816964 Notdisclosed yet20 CVE-2016-3824 AndroidID-28816827 Notdisclosed yet21 CVE-2016-3823 AndroidID-28815329 Notdisclosed yet
PatternsofConfirmedVulnerabilities
• MismatchbetweenAndroidOMXframeworkandvendorcodecs’implementation
• Time of checktotime of use• Racecondition• Invalidinput/outputbufferlength
MismatchbetweenAndroidOMXandvendors’codec(1/2)
• CVE-2016-2480
APP
MediaServer
BinderRequestGET_CONFIG
Config Size:16Config Index:2
Config BufferSize:16
AndroidOMX
VendorCodec
memcpy
allocateConfig
Index:0Size:16
ConfigIndex:1Size:256
ConfigIndex:2Size:256
MismatchbetweenAndroidOMXandvendors’codec(2/2)
• CVE-2016-2477
APP
MediaServer
VendorExtraConfig
Android OMX
VendorCodecBinderRequestSET_CONFIG
pointer:0x1234
VendorExtraConfig
pointer:0x1234
Read/Writewiththepointer
ReadtheconfigfromAPP
Time of ChecktoTime of Use(1/2)
NO. CVE AndroidID Codec
1 CVE-2016-2479 ANDROID-27532282 Qcom libOmxVdec
2 CVE-2016-2481 ANDROID-27532497 Qcom libOmxVenc
3 CVE-2016-2482 ANDROID-27661749 Qcom libOmxVdec
4 CVE-2016-2483 ANDROID-27662502 Qcom libOmxVenc
Time of ChecktoTime of Use(2/2)
APP
Setcodecinputbuffercountto8
SET_PARAMETER
Checkthebuffercountandallocatebuffers
Setcodecinputbuffercountto0x1234
Accessbufferswith0x1234
USE_BUFFER
SET_PARAMETER
USE_BUFFER/FREE_NODE
OOBwrite&Heapoverflow
MediaServer
RaceCondition
• CVE-2016-3747
APP
MediaServer
Input/outputbuffers
Decoderthread
BinderIPC
USE_BUFFERSEND_COMMAND
Read/write
freeFREE_NODE Binderthread
NOSYNC.
InvalidInput/Output BufferLength
• Codecsdon’tcheckthebufferlengthNO. CVE AndroidID Codec1 CVE-2016-2450 ANDROID-27569635 GoogleSoftVPXencoder
2 CVE-2016-2451 ANDROID-27597103 GoogleSoftVPXdecoder
3 CVE-2016-2452 ANDROID-27662364 GoogleSoftAMR decoder
4 CVE-2016-2484 ANDROID-27793163 Google SoftG711decoder
5 CVE-2016-2485 ANDROID-27793367 Google SoftGSM decoder
6 CVE-2016-2486 ANDROID-27793371 GoogleSoftMP3decoder
InvalidInput/outputBufferLength
APP
MediaServer
InputbuffersSize:256
OutputBuffersSize:8
Decode
MemorysharedwithAPP
BinderIPC
USE_BUFFERBuffersize:256
Read256bytes
Write300bytes
USE_BUFFERBuffersize:8
codec
Conclusion
• AndroidOMXisvulnerable– OMXinterfacesandOMXcodecsareimplementedbyGoogleandvendorsseparately.
– Mediaprocessingiscomplex.• Fuzzingcombinedwithcodeauditingishelpfulforsuchmodules.– Manycodecs¶meters
AnyQuestions?
• Ifyouprefertoaskoffline,contactus:– Mingjian Zhou• Twitter/Weibo:@Mingjian_Zhou• Mail:[email protected]
– Chiachih Wu• Twitter:@chiachih_wu