0-Click Vulnerability in Samsung S24 Devices: PoC Releases for CVE-2024-49415

A newly published report from Natalie Silvanovich, a security researcher at Google’s Project Zero team, has revealed a critical vulnerability in the Monkey’s Audio (APE) decoder used in Samsung’s S24 smartphone. Tracked as CVE-2024-49415 and assigned a CVSS score of 8.1, this flaw could allow remote attackers to execute arbitrary code on vulnerable devices.

The vulnerability stems from an out-of-bounds write issue in the saped_rec function within the libsaped.so library. As Silvanovich explains in her report, “The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000… an APE file with a large blocksperframe size can substantially overflow this buffer.”

This means that a specially crafted APE audio file could trigger the vulnerability, potentially allowing an attacker to take control of the device. Worryingly, this can be achieved without any user interaction (a zero-click exploit) if the device is configured for Rich Communication Services (RCS) messaging, the default setting on the S24.

Silvanovich notes that “this is a fully-remote (0-click) bug on the Samsung S24 if Google Messages is configured for RCS… as the transcription service decodes incoming audio before a user interacts with the message for transcription purposes.”

The report provides detailed steps to reproduce the CVE-2024-49415 vulnerability both locally and remotely. While the exploitability of the flaw remains unclear due to the overflow occurring in a DMA buffer, the researcher warns that “non-DMA data appears to be allocated in the adjacent buffer,” suggesting a potential avenue for exploitation.

Samsung has addressed this vulnerability in their December 2024 security update. Users of Samsung S24 (and potentially S23) devices are strongly urged to install the latest security updates to protect themselves from potential attacks.

Related Posts:

• Beware of Fake PoC Exploits for 0-Click RCE CVE-2024-38063 on GitHub
• 0-Click Exploit: PoC Targets Android, Linux, macOS, and iOS Devices via Bluetooth CVE-2023-45866 Flaw
• Samsung Boosts Bug Bounty Program: $1 Million Top Prize for Mobile Vulnerabilities
• Hacker can use Smartphone Apps to control industrial processes