Check Point unveiled recently through a blog post has identified a vulnerability in decoders MediaTek (CVE-2021-0674, CVE-2021-0675) and Qualcomm (CVE-2021-30351) for the Apple Lossless Audio Codec (ALAC) audio compression format.
It is mentioned that the problem allows attacker code to execute while processing specially formatted data in the ALAC format. The danger of the vulnerability is compounded by the fact that it affects devices running the Android platform, equipped with MediaTek and Qualcomm chips.
As a result of the attack, an attacker can orchestrate the execution of malware on a device which has access to the user's media and communication data, including camera data.
According to a rough estimate, 2/3 of all phone users platform-based smart Android are affected by the problem. For example, in the US, the total share of all Android smartphones sold in Q2021 95,1 shipped with MediaTek and Qualcomm chips was 48,1% (47%: MediaTek, XNUMX%: Qualcomm ).
The ALAC issues our researchers found could be used by an attacker for a remote code execution (RCE) attack on a mobile device via a malformed audio file. RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from executing malware to an attacker gaining control of a user's media data, including streaming from a compromised machine's camera.
Additionally, an unprivileged Android application could use these vulnerabilities to escalate its privileges and gain access to user conversations and media data.
Our RCE vulnerabilities allow an attacker to execute arbitrary code on a remote device. An attacker can achieve RCE in a number of different ways, including:
- Injection attacks: many different types of applications, such as SQL queries, use user-supplied data as input to a command. In an injection attack, the attacker deliberately provides malformed input that causes part of their input to be interpreted as part of the command. This allows an attacker to shape commands executed on the vulnerable system or to execute arbitrary code on it.
- Deserialization attacks: Serialization is often used by applications to combine multiple pieces of data into a single string to make it easier to transmit or communicate. Specially formatted user input within the serialized data can be interpreted by the deserialization program as executable code.
- Writing out of bounds: Applications regularly allocate fixed-size chunks of memory to store data, including user-supplied data. If this memory allocation is done incorrectly, an attacker can design input that writes outside of the allocated buffer.
The details of the vulnerability exploitation have not yet been disclosed, but it is reported that fixes were made to MediaTek and Qualcomm components for the Android platform in December 2021. In the December report on vulnerabilities in the Android platform, the issues are marked as critical vulnerabilities in closed components for Qualcomm chips. The vulnerability in MediaTek components is not mentioned in the reports.
Check Point Research responsibly disclosed the information to MediaTek and Qualcomm and worked closely with both vendors to ensure these vulnerabilities were fixed.
Vulnerability is interesting because of its roots. In 2011, Apple released the source codes for the ALAC codec under the Apache 2.0 license, which allows compression of audio data without loss of quality, and made it possible to use all patents related to the codec. The code was published, but it was not maintained and has not changed in the last 11 years.
At the same time, Apple continued to separately support the implementation used on its platforms, including fixing bugs and vulnerabilities in it. MediaTek and Qualcomm based their ALAC codec implementations on Apple's original open source code, but did not address the vulnerabilities addressed by Apple's implementation in their implementations.
There is no information yet about the manifestation of a vulnerability in the code of other products that also use the outdated ALAC code. For example, the ALAC format is supported since FFmpeg 1.1, but the decoder implementation code is actively maintained.
Finally if you are interested in knowing more about it, you can check the details In the following link.