CVE-2024-0018 - Heap Buffer Overflow in ColorConverter.cpp Lets Attackers Escalate Privileges Locally

---

What Is CVE-2024-0018?

CVE-2024-0018 is a critical security vulnerability discovered in the convertYUV420Planar16ToY410 function in ColorConverter.cpp, which is part of the Android Open Source Project's media framework. This bug allows a heap buffer overflow—meaning the code writes data outside of the memory allocated for its buffer, corrupting nearby memory.

No user action is needed to trigger the issue. An attacker can use a malicious app to exploit this flaw and escalate their privileges on the device, even though they don’t need any extra permissions.

Technical Breakdown

The problematic function, convertYUV420Planar16ToY410, is used for converting video formats. If the function receives specially crafted input, it might write past the end of a heap-allocated buffer.

Here is a simplified version of the vulnerable code, inspired by how these converters tend to work

void convertYUV420Planar16ToY410(
    const uint16_t *srcY, int strideY,
    const uint16_t *srcU, int strideU,
    const uint16_t *srcV, int strideV,
    uint32_t *dst, int width, int height)
{
    for (int y = ; y < height; ++y) {
        for (int x = ; x < width; ++x) {
            int Y = srcY[y * strideY + x];
            int U = srcU[(y / 2) * strideU + (x / 2)];
            int V = srcV[(y / 2) * strideV + (x / 2)];

            // Parse YUV and write to output buffer
            dst[y * width + x] = (Y << 20) | (U << 10) | V;
        }
    }
}

What's wrong here? If the width, height, or the stride values are manipulated (for instance, by a malicious input), they can point the function into writing past the allotted space for dst. In standard scenarios, input data is checked to avoid such issues. In this case, the checks are missing or insufficient.

Real-World Exploit Scenario

Let's imagine an attacker uploads a specially crafted video file, or sends a malicious payload through an unprotected app component. Because the vulnerable function doesn't validate buffer sizes, the attacker can:

Escalate local privileges, leading to further attacks like data theft or full device control.

The attacker does not need the victim to interact (no clicking, no accepting files, etc.).

Proof-of-Concept (PoC) Exploit

Here’s a skeleton in C++ to illustrate how exploitation might be performed, assuming you could control the source buffer sizes:

#include <cstdint>
#include <cstdlib>
#include <cstring>
#include <iostream>

void vulnerable_convert(const uint16_t* y, const uint16_t* u, const uint16_t* v,
                        uint32_t* dst, int w, int h, int strideY, int strideU, int strideV) {
    for (int i = ; i < h; ++i)
        for (int j = ; j < w; ++j)
            // Potentially writes out of bounds if dst is too small!
            dst[i * w + j] = (y[i * strideY + j] << 20) | (u[(i/2)*strideU + (j/2)] << 10) | v[(i/2)*strideV + (j/2)];
}

int main() {
    int width = 100, height = 100;
    uint16_t* y = new uint16_t[width * height];
    uint16_t* u = new uint16_t[(width/2) * (height/2)];
    uint16_t* v = new uint16_t[(width/2) * (height/2)];

    // Maliciously under-allocate output buffer
    uint32_t* dst = new uint32_t[10];  // Much smaller than needed

    std::memset(y, , width * height * sizeof(uint16_t));
    std::memset(u, , (width/2) * (height/2) * sizeof(uint16_t));
    std::memset(v, , (width/2) * (height/2) * sizeof(uint16_t));

    // Triggers heap buffer overflow
    vulnerable_convert(y, u, v, dst, width, height, width, width/2, width/2);

    delete[] y;
    delete[] u;
    delete[] v;
    delete[] dst;
    return ;
}

If run on a real system with proper heap security bugs adjacent to dst, this could allow advanced memory corruption.

Escalation of privilege: Attacker's code can run with higher system permissions.

- No user interaction needed: The attack is automatic if the vulnerable function is called with attacker-controlled buffers.
- Potential for root access: Combined with other vulnerabilities, this could allow full device take-over.

Mitigation

- Upgrade your Android device: Ensure you are running the latest patch level; June 2024 Android Security Bulletin covers this flaw.

References

- Android Open Source Project - CVE-2024-0018
- Android Security Bulletin — June 2024
- NIST NVD – CVE-2024-0018 Page

Summary

CVE-2024-0018 is a dangerous Android bug that can let attackers gain higher access on your device just by triggering a flaw in how videos are processed. Update your devices, and if you're a dev, always check your buffer sizes—don't make it easy for attackers!

Timeline

Published on: 02/16/2024 20:15:47 UTC
Last modified on: 08/15/2024 18:35:05 UTC