Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Critical bug in ALAC decoding software in Android (Read 2168 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Critical bug in ALAC decoding software in Android

"The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011."

- The buggy ALAC code contained an out-of-bounds vulnerability
- For now, Qualcomm and MediaTek chipsets are affected
- Patch level of December 2021 or later is safe, but there are devices which are no longer patched

Source: https://arstechnica.com/information-technology/2022/04/critical-bug-could-have-let-hackers-commandeer-millions-of-android-devices/
Error 404; signature server not available.

 

Re: Critical bug in ALAC decoding software in Android

Reply #1
How does one actually exploit this? I tried putting malformed ALAC files that crash original ALAC library on an unpatched Android phone, did not observe any interesting effects, not even setting one as a ringtone causes apparent bad behaviors.

Sounds like a malicious application would have to specifically send offending payload to a Qualcomm/MediaTek DSP running bad code?
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: Critical bug in ALAC decoding software in Android

Reply #2
How does one actually exploit this?

"Check Point said that it will provide technical details of the vulnerability next month at the CanSecWest conference in Vancouver."
Well, we will have to wait. I really never heard of using audio files to deliver payload.
Error 404; signature server not available.

Re: Critical bug in ALAC decoding software in Android

Reply #3
I really never heard of using audio files to deliver payload.

I think there have been a few in the past. https://securityintelligence.com/killer-music-hackers-exploit-media-player-vulnerabilities/
More of an issue when "everyone" used Windows Media Player. Microsoft labeled this one as "critical".

But, like: Did we ever see actual attempts at exploiting the FLAC 1.3.0 vulnerability?
Last two months' worth of foobar2000.org ad revenue has been donated to support war refugees from Ukraine: https://www.foobar2000.org/

Re: Critical bug in ALAC decoding software in Android

Reply #4
How does one actually exploit this? I tried putting malformed ALAC files that crash original ALAC library on an unpatched Android phone, did not observe any interesting effects, not even setting one as a ringtone causes apparent bad behaviors.

They've done basic fuzzing on the decoders by passing in collections of files and looking for crashes then patching those.  Google has infinite example files from youtube uploads, and can test against essentially the entire corpus of in the wild audio files. 

This is likely something more subtle where you can trick the decoder into writing out of bounds through some uncommon edge case that would never happen in a real audio file.  If you carefully craft that out of bounds write such that you can overwrite part of the executing code, you can get something to run your payload.  Since it mentions being able to take over the media server permissions (but nothing more), it probably targets one of the CPU threads with the overwrite.

That is just my speculation.  I guess we'll see in a few weeks how it really works.  


Re: Critical bug in ALAC decoding software in Android

Reply #5
Apparently the details are out-
https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world/

Bug #1:
Unchecked allocation of samples*4 - original code misused calloc() for this, which was precisely meant to mitigate such, only they didn't let calloc() do the math and fail.
Unfortunately foobar2000 versions prior to latest are vulnerable.

Bug #2:
Unchecked "partial" frame larger than nominal frame - old, I found and fixed this years ago.

There is a third bug in Apple code, found by me after reading the initial article:
Decoding of Single Channel Elements is not range checked against the number of expected channels in the stream, effectively also allowing out of bounds write to output buffer, just like unchecked partial frame did.
I expect Qualcomm using Apple library to have this also. Shairport code supposedly used by MediaTek appears to be completely missing relevant features and just fails to decode anything that's not plain mono or plain stereo so they're safe.
I have done some quick tests and could not confirm bad behavior of Android/Qualcomm phone playing an offending sample. I do not have the resources to thoroughly verify if/what other software/hardware is also vulnerable to this (old foobar2000 was, now fixed).

I just updated my fork of the Apple library with latest fixes-
https://perkele.cc/software/ALAC
It's a drop-in replacement for the original code, everyone is welcome to use it or merge fixes over.
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: Critical bug in ALAC decoding software in Android

Reply #6
PS.

Obviously FFmpeg decoder was written from scratch by a competent person and doesn't suffer from any of these issues.
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: Critical bug in ALAC decoding software in Android

Reply #7
Obviously FFmpeg decoder was written from scratch by a competent person and doesn't suffer from any of these issues.
Also, the bugs mentioned in the article can be found by proper fuzz testing. ffmpeg is being continuously fuzz-tested for issues such as these.

Edit: See for example this list of fixed bugs found by oss-fuzz in ffmpegs WavPack decoder, of which 3 are security related. This is just one of the many decoders in ffmpeg.
Music: sounds arranged such that they construct feelings.