Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Critical bug in ALAC decoding software in Android (Read 827 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Critical bug in ALAC decoding software in Android

"The vulnerability resided in ALAC—short for Apple Lossless Audio Codec and also known as Apple Lossless—which is an audio format introduced by Apple in 2004 to deliver lossless audio over the Internet. While Apple has updated its proprietary version of the decoder to fix security vulnerabilities over the years, an open-source version used by Qualcomm and MediaTek had not been updated since 2011."

- The buggy ALAC code contained an out-of-bounds vulnerability
- For now, Qualcomm and MediaTek chipsets are affected
- Patch level of December 2021 or later is safe, but there are devices which are no longer patched

Source: https://arstechnica.com/information-technology/2022/04/critical-bug-could-have-let-hackers-commandeer-millions-of-android-devices/
Error 404; signature server not available.

Re: Critical bug in ALAC decoding software in Android

Reply #1
How does one actually exploit this? I tried putting malformed ALAC files that crash original ALAC library on an unpatched Android phone, did not observe any interesting effects, not even setting one as a ringtone causes apparent bad behaviors.

Sounds like a malicious application would have to specifically send offending payload to a Qualcomm/MediaTek DSP running bad code?
We are the bork. Your software bugs will be added to our own. Resistance is futile.

Re: Critical bug in ALAC decoding software in Android

Reply #2
How does one actually exploit this?

"Check Point said that it will provide technical details of the vulnerability next month at the CanSecWest conference in Vancouver."
Well, we will have to wait. I really never heard of using audio files to deliver payload.
Error 404; signature server not available.

Re: Critical bug in ALAC decoding software in Android

Reply #3
I really never heard of using audio files to deliver payload.

I think there have been a few in the past. https://securityintelligence.com/killer-music-hackers-exploit-media-player-vulnerabilities/
More of an issue when "everyone" used Windows Media Player. Microsoft labeled this one as "critical".

But, like: Did we ever see actual attempts at exploiting the FLAC 1.3.0 vulnerability?
Last two months' worth of foobar2000.org ad revenue has been donated to support war refugees from Ukraine: https://www.foobar2000.org/

Re: Critical bug in ALAC decoding software in Android

Reply #4
How does one actually exploit this? I tried putting malformed ALAC files that crash original ALAC library on an unpatched Android phone, did not observe any interesting effects, not even setting one as a ringtone causes apparent bad behaviors.

They've done basic fuzzing on the decoders by passing in collections of files and looking for crashes then patching those.  Google has infinite example files from youtube uploads, and can test against essentially the entire corpus of in the wild audio files. 

This is likely something more subtle where you can trick the decoder into writing out of bounds through some uncommon edge case that would never happen in a real audio file.  If you carefully craft that out of bounds write such that you can overwrite part of the executing code, you can get something to run your payload.  Since it mentions being able to take over the media server permissions (but nothing more), it probably targets one of the CPU threads with the overwrite.

That is just my speculation.  I guess we'll see in a few weeks how it really works.