Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone · Xiling Gong · Tencent Blade Team
Bypassing the Maginot Line: Remotely Exploit the Hardware Decoder on Smartphone Xiling Gong Tencent Blade Team
About Me Xiling Gong (@GXiling) Senior security researcher at Tencent Blade Team. Vulnerability Hunter. Focus on Android Security, Qualcomm Firmware Security. Speaker of BlackHat, CanSecWest.
About Tencent Blade Team · Founded by Tencent Security Platform Department in 2017 · Focus on security research in the areas of AIoT, Mobile devices, Cloud virtualization, Blockchain, etc · Report 200+ vulnerabilities to vendors such as Google, Apple, Microsoft, Amazon · We talked about how to break Amazon Echo at DEFCON26 · Blog: https://blade.tencent.com
Agenda · Background · Motivation · Stagefright Vulnerabilities · Hardware Decode · Attack Vector · Roadmap for Attack · Debug Venus · Reverse Engineering · Vulnerability and Exploitation
Motivations To improve the overall state of mobile security · From attacker's view · Discover new critical (remote) attack surface · Discover weakness of mitigations
Android Media Architecture https://source.android.com/devices/media/
Stagefright Summary
Source
Extractor
Demuxer
Fetch Data
Parse File
Demux
sample.mp4 https://sample.url
Mpeg4Extrator
Decoder
Decode Audio Decode Video
AAC Decoder OMX.google.h264.encoder Software Decoder video/avc Hardware Decoder OMX.qcom.video.decoder.avc
Stagefright Vulnerabilities Decode Audio
Fetch Data
Parse File
Demux
Decode Video
AAC Decoder OMX.google.h264.encoder Software De2co0d0er+ video/avc Hardware Decoder
Hardening Media-Stack Bomb Clearance
Stagefright Summary
Source
Extractor
Demuxer
Fetch Data
Parse File
Demux
sample.mp4 https://sample.url
Mpeg4Extrator
Decoder
Decode Audio Decode Video
AAC Decoder OMX.google.h264.encoder Software Decoder video/avc Hardware Decoder OMX.qcom.video.decoder.avc
Android Media Hardware Codec
Decoder - Software vs Hardware
cat /vendor/etc/media_codec.xml Software Decoder
Hardware Decoder
platform/frameworks/av/media/stagefright
Hardware Decoder - High Priority
Hardware Decoder Overview Android/Linux Stagefright OMX Hardware Decoder Components
Venus
Hardware Decoder
Overall Roadmap - RCE in Venus
Venus
Linux Kernel
Remote Attack Vector
Browser
MMS
Instant Message App
Agenda · Background · Debug Venus · Reverse Engineering · Vulnerability and Exploitation
Debug Venus · A Secure Boot Vulnerability · B Local Venus Vulnerability · C Development Board · D Buy a phone with Secure Boot disable...
Venus Debugger
Agenda · Background · Debug Venus · Venus Reverse Engineering · OMX Component and Driver (Linux Side) · OMX Architecture · OMX Qualcomm Video · Venus · Memory Layout · Registers · Modules · Attack Surfaces · Vulnerability and Exploitation
Venus Overview
Stagefright OMX Hardware Decoder Components
ARM
Decoded Video Compressed Raw Data
Venus Kernel Driver
Venus
Venus Firmware Venus Hardware
/dev/video? Venus HFI (Host Firmware Interface)
OMX - Arch. https://www.khronos.org/openmax/
MediaPlayer MediaCodec ... OMX.h libqomx_core.so libOmxVdec.so
OMX Qualcomm Video
MediaCodec
OMX IL
OmxVdec
Command Q
Linux
Venus
create_instance alloc_input_buffer alloc_output_buffer
/dev/video32 V4L2
/dev/ion
ION
iova
Bitstream empty_this_buffer
empty_buffer_done HFI fill_this_buffer
YUV
fill_buffer_done
Qualcomm Venus
ARM
HFI
Shared Memory
Control Registers ARM 32Bit Venus Firmware
Venus Internal Registers Venus Hardware
GetBits Engine
FPGA?
Compressed Data Pre-Processing Hardware Decode
Firmware & Memory Layout
Static Dynamic Dynamic Dynamic
E0000000 E00FF000 70800000 708F0000 70A00000 ... 70A00000 ...
Code Heap Stack Global Data Register Area Shared Memory (Message Queue) Shared Memory (Input Buffers) Shared Memory (Output Buffers)
Registers · Control Registers · vidc_hfi_io.h · GetBits Register · Hardware Decoder Registers
Firmware Module
Linux
Command Q
Venus Main Thread CreateDecoder
HandleSysCmd HandleSessionCmd
...
H264 Decoder Forward Task HwSDE Task Hw SP Task BackwardTask
HW CCE Decoder PostProc
Qualcomm Venus Attack Surface
ARM Compressed Data
Decoded Data
Venus
Firmware FPGA
Pre-Processing Head Parsing Buffer Management Hardware Decoding
Agenda · Background · Debug Venus · Reverse Engineering · Vulnerability and Exploitation
Mitigation Table Mitigation Heap ASLR Heap Cookie Stack Cookie Code & Global Data ASLR W^X CFI
Status N N Y N Y N
The Vulnerability(CVE-2019-2256) Parsing H264 SPS Head
The Exploitation Overwrite the decoderInstance on the heap
Control the PC and R0
Control the PC and R0 (Heap Spray)
Linear Heap with First-Fit Algorithm
decoder1
decoder1
...
decoder15
Known
decoder15 SPS Buffer15 decoder16
Overflow
ROP Chain (Key ROP Gadget) Setup LR to 0x40854 Load R0, Next Gadget and Call Do job and jump back to 0x40854 ... The final Gadget. Perfect, Setup all!
Demo
Conclusions and Future Works H264 H265 VPX VC1 Mpeg2
We are here!
Venus
Linux Kernel
Future Works · 1. Escaping into Linux? · 2. Other File Formats · H265, VPx, VC1, Mpeg2... · 3. Other Vendors · 4. How to improve the security status? · NON-Open Source components · Fuzzing Venus?
3-Takeaways · The new remote attack surface · Hardware Decoder · Bypassing the protections · Deep into the heart! · How Qualcomm Hardware Decoder works · Qualcomm Venus · The vulnerability and exploitation of Venus
THANK YOU https://blade.tencent.com