Android CVE-2020-0001

The first CVE of the Year 2020

Android CVE-2020-0001 logo

Is a CVE that is affecting:

  • Android 8.0
  • Android 8.1
  • Android 9
  • Android 10

Google has published a security bulletin for Android
covering the first CVE of the year together with 8 of
the following CVE’s:
* CVE-2020-0002
* CVE-2020-0003
* CVE-2020-0004
* CVE-2020-0005
* CVE-2020-0006
* CVE-2020-0007
* CVE-2020-0008

Remote code execution CVE-2020-0002

A use after free vulnerability can be triggered
in the init_decoder function in the file “decoder/ih264d_api.c”.
Code was committed as a patch to prevent the program from possibly
using memory in a way it was not suppose to do:

@@ -963,6 +963,30 @@
     /* Free any dynamic buffers that are allocated */
     ih264d_free_dynamic_bufs(ps_dec);
 
+    {
+        UWORD8 i;
+        struct pic_buffer_t *ps_init_dpb;
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+
+        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
+        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
+        {
+            ps_init_dpb->pu1_buf1 = NULL;
+            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
+            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
+            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
+            ps_init_dpb++;
+        }
+    }
+
     ps_cur_slice = ps_dec->ps_cur_slice;
     ps_dec->init_done = 0;
 
@@ -1439,29 +1463,6 @@
     ps_dec->ps_col_mv_base = pv_buf;
     memset(ps_dec->ps_col_mv_base, 0, size);
 
-    {
-        UWORD8 i;
-        struct pic_buffer_t *ps_init_dpb;
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[0][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[0][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[0][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-
-        ps_init_dpb = ps_dec->ps_dpb_mgr->ps_init_dpb[1][0];
-        for(i = 0; i < 2 * MAX_REF_BUFS; i++)
-        {
-            ps_init_dpb->pu1_buf1 = NULL;
-            ps_init_dpb->u1_long_term_frm_idx = MAX_REF_BUFS + 1;
-            ps_dec->ps_dpb_mgr->ps_init_dpb[1][i] = ps_init_dpb;
-            ps_dec->ps_dpb_mgr->ps_mod_dpb[1][i] = ps_init_dpb;
-            ps_init_dpb++;
-        }
-    }
     ih264d_init_decoder(ps_dec);
 
     return IV_SUCCESS;

Link to git commit:
https://android.googlesource.com/platform/external/libavc/+/c4b0440fb7a36cd8692126404f86f1bd7a19701e

Privilege escalation vulnerabilities

  • CVE-2020-0001
    A process function in ActivityManagerService.java is not
    properly implemented making a escape of the sand boxed
    environment available.

  • CVE-2020-0003
    In Androids Install Start.java function it is possible to
    a package validating check.
    Link to diff

Denial of service CVE-2020-0004

A in-proper validation of the image texture size in
the function WallpaperManagerService can cause a
denial of service if the file is to big.

Information disclosure vulnerabilities

  • CVE-2020-0006
    A vulnerability was found in the Near Field Communication
    part of the Android system.
    Allowing leakage of memory due to uninitialized data that
    is exploitable by a unprivileged third party.

  • CVE-2020-0007
    A possible leakage of memory is possible due to
    uninitialized data in the Sensor.cpp part of Android.
    Link to patch:
    git commit 6c524a53c85bd0ee05d2714bc5606d62975e5819

  • CVE-2020-0008
    A flaw in the Bluetooth part of android has been
    found due to a invalid race condition which
    if exploited would lead to a information disclosure.

The Mississippi State Government has gone out with a
announcement noticing these security threats
and advising to update your android device as soon
as possible.
Link here its.ms.gov

External links:
CVE-2020-0001
Android Security Bulletin January 2020
Use after free vulnerability

If you are using an rss reader you can subscribe to this blog here:
https://blog.firosolutions.com/exploits/index.xml
https://blog.firosolutions.com/posts/index.xml

This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.