header-logo
Suggest Exploit
vendor:
Android
by:
Marcin Kozlowski
9.8
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name: Android
Affected Version From: 7
Affected Version To: 9
Patch Exists: YES
Related CWE: 2019-2107
CPE: o:google:android
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Android
[date]

Android 7-9 – Remote Code Execution

CVE-2019-2107 is a vulnerability that allows for remote code execution on Android devices running versions 7-9. The vulnerability is present in the HVEC (a.k.a H.265 and MPEG-H Part 2) decoder/codec, which runs under the mediacodec user. By crafting a video with tiles enabled (ps_pps->i1_tiles_enabled_flag), an attacker can exploit the vulnerability to gain remote code execution.

Mitigation:

Update to the latest version of Android to patch the vulnerability.
Source

Exploit-DB raw data:

# Exploit Title: Android 7-9 - Remote Code Execution
# Date: [date]
# Exploit Author: Marcin Kozlowski
# Version: 7-9
# Tested on: Android
# CVE : 2019-2107

CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... 
With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2)

POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47157.zip

Navigation

Suggest Exploit

Services By CQR