Attacker Value
Very High
2

CVE-2020-8899 Samsung Quarm RCE via MMS

Disclosure Date: May 06, 2020

Exploitability

(2 users assessed) High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

There is a buffer overwrite vulnerability in the Quram qmg library of Samsung’s Android OS versions O(8.x), P(9.0) and Q(10.0). An unauthenticated, unauthorized attacker sending a specially crafted MMS to a vulnerable phone can trigger a heap-based buffer overflow in the Quram image codec leading to an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.

Add Assessment

2
Ratings
Technical Analysis

Here’s a few of links:

https://twitter.com/j00ru/status/1258066559765004295
https://bugs.chromium.org/p/project-zero/issues/detail?id=2002
https://security.samsungmobile.com/securityUpdate.smsb

Samsung devices are among the most popular Android platforms out there. They last a long, long time, and often quietly go EOL / end of support, and keep on trucking for years. So, for many millions of targets, this is effectively forever-day.

One downside for attackers is that it does seem to require a fair bit of time to exploit — the video demo shows exploitation taking about an hour and a half or so, and it leaves a few hundred unread MMS messages in the queue. This time cost and the attendant lack of stealth means that attacks need to happen specifically when the user isn’t active on the phone — kind of the opposite of “requires user interaction,” but close enough for the ding on scoring, above.

Maybe a middle-of-the-night attack, with a follow-up cleanup, would be enough to avoid detection, but you might need to chain another exploit for a privilege escalation to get you write/delete access to the message queue — the attacker assumes the privileges of Samsung Messages, which is pretty good, but it’s not root,

General Information

Additional Info

Technical Analysis