Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Samsung has some added support for other image formats. In particular, they have support for a very odd image format called Qmage. Parsing anything is hard to do securely...

In order to fuzz this library, a custom loader was created in order to test this. The first part changed the default version of Malloc to essentially crash with any type of memory corruption. The second was adding extra crash information on a SIGSEGV.

The other version of Malloc was Libdislocator. This had a few differences... Libdislocator only has a 1 GB heap limit, does not align allocations (will return exactly 17 bytes for a request) and it fills newly allocated memory with 0xCC in order to catch potential use-of-uninitialized memory. Knowing the differences is important!

After fuzzing a whopping 5218 unique crashes were found! Both deduplication and severity scale was automated. Essentially, viewing the crash dumps made this possible to do.

From an exploitability standpoint, Android processes images in an interactionless manner. So, if a malicious image is sent to a user, there is nothing they can do about it.

The FAQ's also have some interesting information. To start with, the bug takes up to 300 minutes to perform. Why? This is because ASLR has to be defeated. This is done by somesort of a binary search via text messages being sent and the messages app not crashing. Interesting process to defeat ASLR!

Another interesting part of the exploit is that the messages can be sent in a particular way that no notifications are sent to the user! Hence, doing this attack at 3am would actually be a feasible option(even if it can takes several hours).

Main takeaways: Older/weirder functionality tends to have bugs and fuzzing with extra loaders can be really useful for bug hunting.