Full Report
Cybersecurity researchers have detailed a now-patched security flaw impacting Monkey's Audio (APE) decoder on Samsung smartphones that could lead to code execution. The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14. "Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote
Analysis Summary
# Vulnerability: Out-of-Bounds Write in Samsung APE Decoder Leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2024-49415
- CVSS Score: 8.1 (High)
- CWE: CWE-787 (Out-of-bounds Write)
## Affected Systems
- Products: Samsung Devices running Android
- Versions: Android 12, 13, and 14 (prior to the December 2024 Security Maintenance Release - SMR)
- Configurations: Specifically exploitable when Google Messages is configured for Rich Communication Services (RCS), which is the default on Galaxy S23 and S24 series.
## Vulnerability Description
The vulnerability resides in the Monkey's Audio (APE) decoder, specifically within the `saped_rec` function in the `libsaped.so` library. An out-of-bounds write exists because the function writes data to a `dmabuf` allocated by the C2 media service (which has a fixed size of 0x120000). If an attacker provides a specially crafted APE file (e.g., via an audio message), and the input has a bytes per sample of 24, the function can write up to $3 \times \text{blocksperframe}$ bytes, leading to a buffer overflow of the destination memory region and allowing arbitrary code execution.
## Exploitation
- Status: Researcher reported; implied potential for zero-click exploitation in the described scenario.
- Complexity: Low (Zero-click nature when prerequisites are met).
- Attack Vector: Network (via specially crafted rich media message).
## Impact
- Confidentiality: High (Code execution context is in the media codec process).
- Integrity: High (Arbitrary code execution).
- Availability: High (Can cause the media codec process to crash).
## Remediation
### Patches
- Samsung released patches as part of the **December 2024 Security Maintenance Release (SMR)**.
- The patch specifically addresses the flaw by implementing **proper input validation** in the APE decoder function.
### Workarounds
- Disable Rich Communication Services (RCS) in Google Messages temporarily, although this may impact standard messaging features.
## Detection
- Indicators of compromise would likely involve crashes related to the C2 media service process (`samsung.software.media.c2`) when processing incoming rich media messages.
- Detection methods should focus on monitoring for unusual memory writes or exceptions within media decoding libraries (`libsaped.so`) related to processing APE format data.
## References
- Vendor Advisory: Samsung Security Updates (December 2024)
- Project Zero Issue (Specific details on the mechanism): project-zero.issues.chromium.org/issues/368695689 (Defanged: `project-zero.issues.chromium.org/issues/368695689`)