security notice of drawable open source inventory vulnerability in remote code execution

Posted by punzalan at 2020-04-02

Safety Notice No.: cnta-2019-0036

On October 14, 2019, cnvd included the Android GIF drawable Open Source Library Remote Code Execution Vulnerability (cnvd-2019-35254) submitted by Tencent security Xuanwu laboratory. An attacker can use this vulnerability to remotely execute code on a user terminal or cause an application to be denied service without authorization. At present, the manufacturer has released patches to complete the repair, the details of the vulnerability have been disclosed, and the scope and harm of the vulnerability are large.

1、 Vulnerability analysis

Android GIF drawable is an open source library (hereinafter referred to as GIF open source library) used for GIF image resolution in Android system. Gif open source library uses JNI bundling giflib to render the frame number. Compared with WebView class and movie class, the rendering efficiency is higher, so it has been widely used.

In May 2019, security researchers found that the Android version of WhatsApp (before 2.19.244) has a memory re release vulnerability (cve-2019-11932, corresponding to cnvd-c-2019-144833). By sending a crafted malicious GIF file to WhatsApp users, attackers can obtain WhatsApp's application rights, and carry out SD card reading, audio recording and camera access on the mobile side , file system access, WhatsApp sandbox storage access and other operations.

Tencent security Xuanwu laboratory found that the above vulnerability is caused by GIF open source library. Any Android application (APP) that uses the GIF open source library for GIF image parsing may be affected by this vulnerability. By sending malicious GIF files to the affected app users remotely, attackers can execute arbitrary code (Android 8.0 and above) or cause application denial of service (Android 8.0 and below) under the app application permission environment of the target device.

Cnvd's comprehensive rating of the vulnerability is "high risk".

2、 Scope of vulnerability

Android app using Android GIF drawable library for GIF image processing and Android GIF drawable library version under 1.2.18 is affected by this vulnerability. IOS apps are not affected by this vulnerability.

According to the analysis results of atuin system in Tencent security Xuanwu laboratory, the GIF open source library is used by a large number of Android apps, and 43619 Android apps developed using the GIF open source library worldwide may be affected by this vulnerability.

3、 Suggestions for bug repair

A new version (1.2.18) of GIF open source library has been released to fix this vulnerability. Cnvd recommends:

2. When using the mobile app, users should not browse and store the GIF files of unknown origin.