Three security flaws in Qualcomm and MediaTek audio decoders have been discovered, if left unpatched which might permit an adversary to remotely access media and audio chats from compromised mobile devices. According to Israeli cybersecurity firm Check Point, the flaws might be exploited to execute remote code execution (RCE) attacks by delivering a carefully prepared audio file.
The researchers said in a report shared with The Hacker News, "The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user's multimedia data, including streaming from a compromised machine's camera. In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations."
The flaws, termed ALHACK, are based on an audio coding system that Apple created and made open-source in 2011. The Apple Lossless Audio Codec (ALAC) or Apple Lossless audio codec format is used to compress digital music in a lossless manner.
Since then, other third-party suppliers have used Apple's reference audio codec implementation as the basis for their own audio decoders, including Qualcomm and MediaTek.
While Apple has constantly patched and fixed security problems in their proprietary version of ALAC, the open-source version of the codec has not gotten a single update since it was first uploaded to GitHub on October 27, 2011.
Check Point revealed three vulnerabilities in this ported ALAC code, two of which were found in MediaTek CPUs and one in Qualcomm chipsets. –
• CVE-2021-0674 (CVSS score: 5.5, MediaTek) - A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction
• CVE-2021-0675 (CVSS score: 7.8, MediaTek) - A local privilege escalation flaw in the ALAC decoder stemming from out-of-bounds write
• CVE-2021-30351 (CVSS score: 9.8, Qualcomm) - An out-of-bound memory access due to improper validation of a number of frames being passed during music playback
The vulnerabilities allowed Check Point to "grab the phone's camera feed" in a proof-of-concept exploit, according to security researcher Slava Makkaveev, who discovered the issues alongside Netanel Ben Simon.
All three vulnerabilities were addressed by the individual chipset manufacturers in December 2021, following responsible disclosure.
"The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone," Makkaveev explained.