Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones

itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."

Attack vector?

Could this be used in a malicious way, other than annoying people by rebooting their phones?

Re:Attack vector?

[StikyPad]

Possibly. Any time you have a buffer overflow, there's a possibility that you can write to the stack and execute arbitrary code.

Re:Attack vector?

[KGIII]

The only logical thing to do with such power is use it to rape, murder, pillage, and burn... Anything else would be less civilized. Done in the wrong order, however, is not civilized at all.

Closed Ecosystem

[OverlordQ]

And those running custom mods will have this fix this week while those who are locked in to their carriers will be stuck vulnerable for who knows how long.

Re:Closed Ecosystem

[ArcadeMan]

Or you could use an iPhone, which doesn't even support MKV.

Re:Closed Ecosystem

[0123456]

Or you could use an iPhone, which doesn't even support MKV.

I'm going back to my old Samsung, which doesn't even play videos, and is barely capable of displaying image files.

Re:Closed Ecosystem

[ArhcAngel]

And those who use an MVNO and don't know how to set their APN are already safe!

Re:Closed Ecosystem

[JustAnotherOldGuy]

Same here...my old Nokia can't do all that new-fangled stuff, so I suppose I'm safe from these exciting new advances in technology. And by "technology", I mean "exploits".

Re:Closed Ecosystem

[TheGratefulNet]

I can update a proper linux system. apt-get update (etc etc) and I'm good. it could be a 5 yr old linux install, 10 yr even more. it will still get security and major bugfixes.

android? yeah, right. my nexus one (go ahead, laugh at the old guy with the ancient phone) has not had an update for over 3 years now; probably more than that. 2.x distro from cyan and even they stopped doing updates. I have no time in my schedule to learn android internals well enough to do this myself (I could do it for linux, but I have no desire to waste time on phone crap, too many other things to get done). and so, I am running quite old software on a mobile computer and unless I pay for new hardware (my old hw works fine, still) I can't get updates.

this is the main reason why I hate google so much. they totally messed up on the whole android build/deploy/update system. its not linux, its not separatable (gfx and kernel and ip stack all are comingled, like a college-hire might design, sigh) and you can't update just the parts you need. its a whole update or nothing at all. HOW UTTERLY STUPID.

I wish I could get to love apple gear. then again, they EOL their old products, too, and so I'd have to keep rebuying hardware just like android guys are forced to do.

I may just go back to dumb phones again. this is ridiculous. a mobile computer with wireless access, a lot of my personal info on it and yet no update mechanism at all. essentially its abandonware. hundreds of dollars and I have a device that won't ever get updated even though there's not a single good reason for that.

what I can't figure out is: was google stupid or smart when they planned this? I tend to think they were both; stupid due to having too many kids onboard who don't understand the longevity of embedded systems in the real world; and smart since they force people to keep re-re-rebuying things and that must make their hardware partners very happy. they also can ignore older hardware and save time on multiple forks and build trees. but it was all the wrong design for END USERS. we are the ones who get screwed by this.

I cannot ever forgive google. they could have kept linux clean on the phone and allowed users to update ip-stack, kernel, etc. but they put a lot of effort into NOT allowing this and we all pay for it with security problems; and ones that we won't ever be able to fix, either, unless we do the work ourselves (which is not acceptable for an embedded system).

Re:Closed Ecosystem

its a whole update or nothing at all.

Never attribute to stupidity that which is adequately explained by greed.

Re:Closed Ecosystem

[brunes69]

You need to head to xda-developers.com and learn how to installa ROM. It is not complicated. The process is as simple as copying a zip file to your phone, rebooting the phone, and picking the zip file. Done.

Re:Closed Ecosystem

[mlw4428]

If he's running Cyanogenmod (as he alludes to in his post), he knows how. The problem is that everyone stops supporting the old stuff after a while.

Re:Closed Ecosystem

[0123456]

I think Google were just rushing to get a competitor out before Apple took over the mobile market and they lost all their ad revenue there.

Now, they look set to lose the market to Windows--which is something I never thought I'd say--if they don't find a way to push security fixes to phones without having to go through the manufacturer and carrier.

Re:Closed Ecosystem

[c]

they totally messed up on the whole android build/deploy/update system.

From what I understand, a significant chunk of the problem with mobile device "longevity" is that closed source drivers for the SoC's used in phones are typically provided by chipset vendors, and if the driver model used by the O/S ever changes then the SoC vendor needs to provide a newer set of drivers. Which they aren't going to do when they are no longer selling the chipsets.

Re:Closed Ecosystem

[guises]

That 2.x distro was the last that Google did for the Nexus One, but I'm running 4.4.4 (Carbon rom) on mine just fine. And I installed that... a year ago? There's probably a more recent one now.

I too would like better standardization on the hardware, but it doesn't seem as though the device manufacturers are willing to go for that. Everyone wants their own non-standard custom sparkly feature, to make their junky phone stand out from everyone else's. I'm not sure Google deserves all or even the majority of the blame there.

Re:Closed Ecosystem

[tlhIngan]

Or you could use an iPhone, which doesn't even support MKV.

Out of the box, no. But there are plenty of apps to solve that problem.

Re:Closed Ecosystem

[viperidaenz]

The hardware in your phone is pretty slow compared to anything in the last few years.
The 1GHz single core Snapdragon CPU is slower per MHz than a standard Cortex A9
It's only got 512MB of RAM

It was a great phone 5 years ago, but seriously, it isn't powerful enough to run anything later than Android 2.3. I doubt anything with that CPU is. Even cyanogenmod support stopped at CM7

Re: Closed Ecosystem

[net28573]

Older devices have historically had more potential vulnerabilities to exploit than newer systems. I don't have this l the link on me right now but I believe that there was a court case about the legality of monitoring someone's phone based on the age of the device and its capabilities.

Re: Closed Ecosystem

[bryanp]

Not natively anyway. My preferred app for playing media on my iPad, including mkv files, is nplayer. Not free, but worth every penny. I'm assuming it works on an iPhone, my personal phone is an android and I'm not paying to put nplayer on the iPhone my employer makes me carry.

Re:Closed Ecosystem

[exomondo]

and so, I am running quite old software on a mobile computer and unless I pay for new hardware (my old hw works fine, still) I can't get updates.

The hardware may work fine but there is no appropriate software to run on it. So ultimately is your privacy worth a couple hundred dollars every year or so?

essentially its abandonware. hundreds of dollars and I have a device that won't ever get updated even though there's not a single good reason for that.

The code is all there, it's open source but nobody wants to maintain it and nobody wants to pay anybody to maintain it. What do you think is going to happen to it? It isn't going to maintain itself.

Re:Closed Ecosystem

[exomondo]

From what I understand, a significant chunk of the problem with mobile device "longevity" is that closed source drivers for the SoC's used in phones are typically provided by chipset vendors, and if the driver model used by the O/S ever changes then the SoC vendor needs to provide a newer set of drivers.

That's mostly it, the problem is that the Linux kernel binary interface is unstable so binary drivers that work in one version may not work in the next version and would often need to be modified and rebuilt against the newer kernel then distributed.

Re:Closed Ecosystem

[Eunuchswear]

"Install a rom"?

I used to do shit like that on 8 bit microcontrollers. If it's just one .so to change why the hell can't I just do, as the GP said, "apt-get update; apt-get dist-upgrade"?

Works on my N900, worked on my N9, works on my Jolla.

Android is primitive.

Re:Closed Ecosystem

[Eunuchswear]

But none of these recent problems need a kernel upgrade -- the userland/kernel interface is stable, there is nothing stopping Google & pals from just releasing a package with the new .so file.

Except that their package management is primitive to nonexistent.

Re:Closed Ecosystem

[IamTheRealMike]

No, the issue is that it's open source and carriers customise the components. Android had a working online update infrastructure since day one, actually since before Apple did. But that's no use when the first thing OEMs do is repoint those mechanisms at their own servers and make huge changes to the code.

The comparisons with Linux are especially strange. Guess what? Upstreams who develop software for Linux and see it get repackaged by distributors are in exactly the same boat as Google. They see their software get packaged up, distributed, bugs possibly introduced and then upgrades may or may not make it to users. Yeah yeah, Debian say they backport security fixes. That's great when it's a popular package and a one liner. When the security fix in question is a major architectural upgrade, like adding a sandbox to an app, then users just get left behind on old versions without the upgrades because that's the "stable" version.

And of course many users are on Linux distros that stop being supported pretty quick. Then you're in the same boat as Android: old versions don't get updates.

Re:Closed Ecosystem

[brunes69]

You're not listening to me. This has nothing to do with Android. It has to do with the ROM on your phone that came from the phone maker. You need to swap out your ROM for one that is more open, and that allows root access so that you can do these kinds of updates. My Cyanogen ROM can pull updates on a nightly basis if I so choose.

Re:Closed Ecosystem

[Eunuchswear]

Ok, sorry, your answer was not clear to me. I thought you were saying the way to replace one package was to replace the whole rom, you meant to say that after replacing the whole rom you could do updates that just replace one package.

Re: Closed Ecosystem

[JustAnotherOldGuy]

It may be that my phone is vulnerable, but any hacker who could manage to exploit it would have my respect. In fact, I'd be proud to have my phone rooted or compromised by someone who could do it, considering the obscureness of my device.

PS: I just checked the stone tablets that the original Owner's Manual came on, and there's nothing mentioned about vulnerabilities there. ;)

Re:Closed Ecosystem

[exomondo]

We're talking about the problem with mobile device "longevity".

Honest question.

[fuzzyfuzzyfungus]

Can someone explain why the program handling interaction with assorted media files would be so closely linked to the rest of the system working? I understand that parsing the ghastly mess of different standard and pseudo-standard formats out there, as poorly or even maliciously interpreted by various 3rd parties, is a difficult and dangerous task; so I'm not surprised by the fact that there is a bug in the media component; but if it is known to do such a dangerous job why isn't it compartmentalized more aggressively? Why does losing the mediaserver process make a mess of the phone, rather than just causing it to mark the file that killed it as tainted, restart the process, and carry on?

Re:Honest question.

[Aighearach]

Taking your question at face value:

• Programming is hard
• It would add latency to do the full range of sanity checks
• The engineering assumption is that the device will be lagging already from ads and other "monetization."
• Robust software sells the same as buggy software, as long as the bug isn't routine.
• They try to get developers to use the media library in place of the filesystem. Why? So they can do backups easily that back up "everything" the users added to the applications, without having to try to sort the filesystem or deal with unknown files.

I'm sure they have even more reasons. I hate it more and more all the time, personally. And I use it less and less. I've already replaced about half the apps I use with my own versions, that do almost nothing. (the 1 thing I need each app for) I'm starting to wonder why I'm running an Android version instead of a regular embedded linux.

Re:Honest question.

[JustAnotherOldGuy]

Can someone explain why the program handling interaction with assorted media files would be so closely linked to the rest of the system working?

Because 1) programmers are lazy and 2) management doesn't want them to "waste time" programming all those pesky security checks.

Re:Honest question.

[jedidiah]

They need to be going out of their way to make this more of a problem than it should be. No modern OS should be crashing simply because one of it's apps ran amok. This isn't 1981.

Unix + media player should not be able to crash the OS unless they took extra special measures to make the OS vulnerable.

Re:Honest question.

[brunes69]

The reason is because when a core system process crashes on android, the system automatically restarts it.

This is normally a good thing - but if you have a scenario where you've done something that will cause a process to crash on start (which is what this thing is), the process restarts and restarts over and over indefinitely, essentially locking you out of the UI. Command line access via ADB is unaffected.

Anyone who has messed around with custom ROMs has likely seen this behaviour many times by flashing an invalid Google Services for the phone.

Re:Honest question.

[viperidaenz]

Unless you end up sending junk to the GPU and it locks up the entire SoC?
Just a guess, but who knows... or perhaps it sends junk data to a kernel module?

Re:Andorid is for

[Impy+the+Impiuos+Imp]

Stop posting all those Windows 10 OMG!!! threads.

What?

[HideyoshiJP]

I can't even get my Android phone to play .mkvs, much less crash it. :(

Re:Why?

[jedidiah]

I could see how something that hooks into a video device driver for hardware assisted decoding could bork the OS because at that point you've cross the user barrier. This just seems to be a problem of unraveling the wrapper format. Nothing about that should render the OS crash prone.

From the TFA

[Virtucon]

Trend Micro reported to flaw in May, it said, but Google assigned it a low priority.

So, publishing it will presumably make them move the priority up? AFAIK, if the attacker could register the properly crafted MKV to play on start, you'd be in a bricked phone situation, factory reset, fixed done.

Re:ADHD

[0123456]

This is what happens when you let an advertising agency write your software.

Re:Andorid is for

[invictusvoyd]

assholes p.s. mod me down -1

Thanks

Re:Yeah right

[viperidaenz]

Wasn't it vulnerable to brute force password attacks?

Tell me

[drolli]

how i can disable MMS. In the whole last 9 years when the phones i used supported MMS, i think i used the feature 3 times:
* one time for test
* two times to receive a train ticket (now they switched to internet+app)

I have no clue why i should use MMS. I use SMS a lot (since it works with all phones).

no need for this feature.