CVE-2020-8899 Samsung Quarm RCE via MMS

There is a buffer overwrite vulnerability in the Quram qmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.

Recent assessments:

zeroSteiner at May 07, 2020 8:14pm UTC reported:

This CVE collectively describes 5218 unique crashes that were reported to Samsung by a Google Project Zero researcher. The crashes occur within the Skia library and are related to the processing of Qmage images. The Qmage image format was developed by a third-party company but was added to the Skia Android library on Samsung phones. These bugs can be triggered remotely and without interaction by sending MMS messages to the target device.

The vulnerability does not affect all Android devices, only those with the modified Skia library distributed by Samsung on their phones. It’s likely that other exploit delivery scenarios are viable but may require user interaction to trigger rendering the image.

Successful exploitation requires bypassing ASLR which reportedly can be achieved remotely by sending multiple messages to the target. Further details on this aspect of the exploit are not currently public and contribute to the complexity of weaponizing a PoC for this vulnerability. Successfully exploiting the vulnerability yields code execution within the context of the exploited process. In the case of the messenger application, this could be used to leak text messages.

todb-r7 at May 06, 2020 8:42pm UTC reported:

This CVE collectively describes 5218 unique crashes that were reported to Samsung by a Google Project Zero researcher. The crashes occur within the Skia library and are related to the processing of Qmage images. The Qmage image format was developed by a third-party company but was added to the Skia Android library on Samsung phones. These bugs can be triggered remotely and without interaction by sending MMS messages to the target device.

The vulnerability does not affect all Android devices, only those with the modified Skia library distributed by Samsung on their phones. It’s likely that other exploit delivery scenarios are viable but may require user interaction to trigger rendering the image.

Successful exploitation requires bypassing ASLR which reportedly can be achieved remotely by sending multiple messages to the target. Further details on this aspect of the exploit are not currently public and contribute to the complexity of weaponizing a PoC for this vulnerability. Successfully exploiting the vulnerability yields code execution within the context of the exploited process. In the case of the messenger application, this could be used to leak text messages.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 4