New issue
Advanced search Search tips
Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: May 22
Cc:



Sign in to add a comment

Samsung Galaxy S7 Edge: Overflow in OMACP WbXml String Extension Processing

Project Member Reported by natashenka@google.com, Feb 21

Issue description

OMACP is a protocol supported by many mobile devices which allows them to receive provisioning information over the mobile network. One way to provision a device is via a WAP push SMS message containing provisioning information in WbXML.

A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string.

While OMACP WAP pushes require authentication, the entire WbXml payload of a push is parsed to extract the credentials, so this bug occurs pre-authentication.

To reproduce the issue:

1) install the attached Android application on a different phone than the one being tested for the issue
2) manually give the application SMS permissions in the settings screen
3) start the app and enter the phone number on the target device
4) press the "send wap push" button

The target phone will crash:

02-20 15:52:56.952 15197 15197 F DEBUG   : pid: 15180, tid: 15196, name: IntentService[S  >>> com.wsomacp <<<
02-20 15:52:56.952 15197 15197 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x731a800000

The WAP payload causing this problem is:

690b6d0733b401506694f4c6504cf6be7224df6199a9c0ec4b76db1f6e262c457fc0553dbb50863dfce2d5c55077c3ffffffff7f777777770A0604B6B6B6B6.

Code for the test app is also attached.

This was tested on Samsung build number NRD90M.G93FXXU1DQJ8, which is the most recent update on my device

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
app-release.apk
1.8 MB Download
ContentOverflow.zip
16.4 MB Download
Project Member

Comment 1 by natashenka@google.com, Feb 21

I am having difficulty reporting this issue, as Samsung's vulnerability reporting page (https://security.samsungmobile.com/securityReporting.smsb) requires agreeing to a number of legal agreements, including some that are in Korean only and some that include language about disclosure. I have reached out to some contacts at Samsung to figure out how to report these issues without these agreements.
Project Member

Comment 2 by natashenka@google.com, Feb 21

Labels: -Reported-2017-02-20 Reported-2018-Feb-20
Project Member

Comment 3 by natashenka@google.com, Feb 22

Labels: -Reported-2018-Feb-20 Reported-2018-Feb-21
I heard back and reported it. 
Project Member

Comment 4 by natashenka@google.com, May 4

Labels: CVE-2018-10751
Project Member

Comment 5 by natashenka@google.com, May 22

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
This was fixed in Samsung's April update: https://security.samsungmobile.com/securityUpdate.smsb
Hi, does this work on Galaxy S7?

05-26 11:37:00.381 14133 14133 F DEBUG   : pid: 14110, tid: 14126, name: IntentService[S  >>> com.wsomacp <<<
05-26 11:37:00.381 14133 14133 F DEBUG   : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x791d800000

This log is from my SM-G930F with latest (NRD90M.G930FXXS2DRC3) firmware.

Sign in to add a comment