FuzzingAndroidOMX

Mingjian ZhouandChiachih WuC0RETeam

AboutUs• Mingjian Zhou,周明建

– Securityresearcher@360C0REteam– FocusedonAndroidvulnerabilityresearchandexploit

development• Chiachih Wu,吳家志 (@chiachih_wu)

– Securityresearcher@360C0REteam– Android/Linuxsystemsecurityresearch– C0REteam(c0reteam.org)foundingmember

• C0RETeam– Asecurity-focusedgroupstartedinmid-2015– WitharecentfocusontheAndroid/Linuxplatform,theteam

aimstodiscoverzero-dayvulnerabilities,developproof-of-conceptexploits,andexplorepossibledefenses

Agenda

• Introduction• FuzzingAndroidOMX• ConfirmedVulnerabilities• PatternsofOMXVulnerabilities

INTRODUCTIONAboutOMX

WhatisOMX(1/2)

• OpenMediaAcceleration,akaOpenMAX,oftenshortenedas“OMX”

• WIKI:anon-proprietaryandroyalty-freecross-platform setof C-language programminginterfaces thatprovidesabstractionsforroutinesespeciallyusefulforaudio,video,andstillimagesprocessing.

WhatisOMX(2/2)

OMXinAndroid(1/2)

• OMXIntegrationLayer(IL)– providesastandardizedwayforStagefright torecognizeandusecustomhardware-basedmultimediacodecscalledcomponents.

• VendorsprovidetheOMXpluginwhichlinkscustomcodeccomponentstoStagefright.

• Customcodecsmust beimplementedaccordingtotheOMXILcomponentstandard.

OMXinAndroid(2/2)

Stagefright

VideoOMXComponent

AudioOMXComponent

MediaPlayerService

VideoDriversAudioDrivers

OMXIL

Kernel

MediaServer

SoftA/VCodecs

MusicUserAPPs MMS …

BinderIPC

IOCTL

Binder

OMXCodecs

• Androidprovidesbuilt-insoftwarecodecsforcommonmediaformats

• Vendors’codecs

Built-inSoftCodecsExample VendorCodecsExample

WhyOMX?

• Exposedviamultipleattackvectors

• Medianativecodesareoftenvulnerable

FUZZINGANDROIDOMXAttackSurface&Flow

TheAttackSurface(1/2)

Stagefright

VideoOMXComponent

AudioOMXComponent

MediaPlayerService

VideoDriversAudioDrivers

OMXIL

Kernel

MediaServer

SoftA/VCodecs

MusicUserAPPs MMS ……

IOCTL

Binder

BinderIPC

TheAttackSurface(2/2)MediaServer

IOMX

GoogleSoftOMXCodecsSoftVPX

SoftAMR

SoftMP3

SoftG711

…

VendorOMXPlugins

Qcom plugin

Nvidia plugin

MTKplugin

…

OMXNodeInstance

APP

BinderIPC

OMXMaster

OMXInterfaces

• DefinedinIOMXAPI Functions

listNodes ListnamesofallthecodeccomponentallocateNode Createacodeccomponent

allocateBuffer Allocateinput/output buffersforcodec

useBuffer Provide asharebuffertotheserver

emptyBuffer Request(orreceive)anemptyinputbuffer,fillitupwithdataandsendittothecodecforprocessing

fillBuffer Request(orreceive)afilledoutputbuffer,consumeitscontentsandreleaseitbacktothecodec

sendCommand Sendcommandstocodecs, suchaschangingstate,portdisable/enable

getParameter Getcodecs’parameterssetParameter Setcodecs’parameters

FuzzingFlow

Changethecodecstatefromloadedtoidle

Changethecodecstatefromidletoexecuting

Empty/Fill buffers

Freenode

Start

end

Getthedefaultcodecparameters

Selectacomponent fromthenode list

Generatenewparametersandset

Prepareinputportbuffers

Prepareoutputportbuffers

CONFIRMEDVULNERABILITIES

ConfirmedVulnerabilities(1/3)

• By2016/07/07,total21 vulnerabilitiesareconfirmed.– 16 vulnerabilities(15high,1moderate)havebeendisclosedonAndroidSecurityBulletins.

– Otherswillbedisclosedonlater AndroidSecurityBulletins.

• Almostall thecodecsimplementedbyGoogleandvendors(QualComm,Nvidia,MediaTek)arevulnerable.

ConfirmedVulnerabilities(2/3)

NO. CVE AndroidID Codec1 CVE-2016-2450 ANDROID-27569635 GoogleSoftVPXencoder2 CVE-2016-2451 ANDROID-27597103 GoogleSoftVPXdecoder3 CVE-2016-2452 ANDROID-27662364 GoogleSoftAMRdecoder4 CVE-2016-2477 ANDROID-27251096 QcomlibOmxVdec5 CVE-2016-2478 ANDROID-27475409 QcomlibOmxVdec6 CVE-2016-2479 ANDROID-27532282 QcomlibOmxVdec7 CVE-2016-2480 ANDROID-27532721 Qcom libOmxVdec8 CVE-2016-2481 ANDROID-27532497 Qcom libOmxVenc9 CVE-2016-2482 ANDROID-27661749 Qcom libOmxVdec10 CVE-2016-2483 ANDROID-27662502 Qcom libOmxVenc

ConfirmedVulnerabilities(3/3)

NO. CVE AndroidID Codec11 CVE-2016-2484 ANDROID-27793163 Google SoftG711decoder12 CVE-2016-2485 ANDROID-27793367 Google SoftGSM decoder13 CVE-2016-2486 ANDROID-27793371 GoogleSoftMP3decoder14 CVE-2016-3747 ANDROID-27903498 Qcom libOmxVenc15 CVE-2016-3746 ANDROID-27890802 Qcom libOmxVdec16 CVE-2016-3765 ANDROID-28168413 Google SoftMPEG2decoder17 CVE-2016-3844 AndroidID-28299517 Notdisclosed yet18 CVE-2016-3835 AndroidID-28920116 Notdisclosed yet19 CVE-2016-3825 AndroidID-28816964 Notdisclosed yet20 CVE-2016-3824 AndroidID-28816827 Notdisclosed yet21 CVE-2016-3823 AndroidID-28815329 Notdisclosed yet

PATTERNSOFCONFIRMEDVULNERABILITIES

PatternsofConfirmedVulnerabilities

• MismatchbetweenAndroidOMXframeworkandvendorcodecs’implementation

• Time of checktotime of use• Racecondition• Invalidinput/outputbufferlength

MismatchbetweenAndroidOMXandvendors’codec(1/2)

• CVE-2016-2480

APP

MediaServer

BinderRequestGET_CONFIG

Config Size:16Config Index:2

Config BufferSize:16

AndroidOMX

VendorCodec

memcpy

allocateConfig

Index:0Size:16

ConfigIndex:1Size:256

ConfigIndex:2Size:256

MismatchbetweenAndroidOMXandvendors’codec(2/2)

• CVE-2016-2477

APP

MediaServer

VendorExtraConfig

Android OMX

VendorCodecBinderRequestSET_CONFIG

pointer:0x1234

VendorExtraConfig

pointer:0x1234

Read/Writewiththepointer

ReadtheconfigfromAPP

Time of ChecktoTime of Use(1/2)

NO. CVE AndroidID Codec

1 CVE-2016-2479 ANDROID-27532282 Qcom libOmxVdec

2 CVE-2016-2481 ANDROID-27532497 Qcom libOmxVenc

3 CVE-2016-2482 ANDROID-27661749 Qcom libOmxVdec

4 CVE-2016-2483 ANDROID-27662502 Qcom libOmxVenc

Time of ChecktoTime of Use(2/2)

APP

Setcodecinputbuffercountto8

SET_PARAMETER

Checkthebuffercountandallocatebuffers

Setcodecinputbuffercountto0x1234

Accessbufferswith0x1234

USE_BUFFER

SET_PARAMETER

USE_BUFFER/FREE_NODE

OOBwrite&Heapoverflow

MediaServer

RaceCondition

• CVE-2016-3747

APP

MediaServer

Input/outputbuffers

Decoderthread

BinderIPC

USE_BUFFERSEND_COMMAND

Read/write

freeFREE_NODE Binderthread

NOSYNC.

InvalidInput/Output BufferLength

• Codecsdon’tcheckthebufferlengthNO. CVE AndroidID Codec1 CVE-2016-2450 ANDROID-27569635 GoogleSoftVPXencoder

2 CVE-2016-2451 ANDROID-27597103 GoogleSoftVPXdecoder

3 CVE-2016-2452 ANDROID-27662364 GoogleSoftAMR decoder

4 CVE-2016-2484 ANDROID-27793163 Google SoftG711decoder

5 CVE-2016-2485 ANDROID-27793367 Google SoftGSM decoder

6 CVE-2016-2486 ANDROID-27793371 GoogleSoftMP3decoder

InvalidInput/outputBufferLength

APP

MediaServer

InputbuffersSize:256

OutputBuffersSize:8

Decode

MemorysharedwithAPP

BinderIPC

USE_BUFFERBuffersize:256

Read256bytes

Write300bytes

USE_BUFFERBuffersize:8

codec

Conclusion

• AndroidOMXisvulnerable– OMXinterfacesandOMXcodecsareimplementedbyGoogleandvendorsseparately.

– Mediaprocessingiscomplex.• Fuzzingcombinedwithcodeauditingishelpfulforsuchmodules.– Manycodecs&parameters

AnyQuestions?

• Ifyouprefertoaskoffline,contactus:– Mingjian Zhou• Twitter/Weibo:@Mingjian_Zhou• Mail:cn.zhou.mingjian@gmail.com

– Chiachih Wu• Twitter:@chiachih_wu

APPENDIX

References

• Android– https://source.android.com/devices/media/– https://developer.android.com/reference/android/media/MediaCodec.html

• OMX– https://www.khronos.org/openmax/