Information

A Malicious crafted JPEG file can lead to a memory corruption with attacker controlled input, which in turn can lead to arbitrary code execution.
The vulnerable function is in charge of handling the image dimensions when parsing JPEG image files.
The dimensions are “width”, “height” and “out_color_components”(number of bytes per pixel) and can be controlled by the user.
The “width”, “height” and “out_color_components” are used when calculating (without proper integer-overflow) checks the image size, by which a heap buffer is allocated.
The buffer that represnets the image size will be then passed to memcpy, leading to a Heap-Based buffer overflow.

BugCheck:

Build fingerprint: 'google/bullhead/bullhead:7.1.2/N2G48C/4104010:user/release-keys'
Revision: 'rev_1.0'
ABI: 'arm64'
pid: 15516, tid: 21791, name: IgExecutor #28  >>> com.instagram.android <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7e45c00000

Stack at crash:

backtrace:
    #00 pc 000000000001aa54  /system/lib64/libc.so (memcpy+332)
    #01 pc 000000000000283c  /data/data/com.instagram.android/lib-superpack-zstd/libjpegutils_moz.so
    #02 pc 0000000000002238  /data/data/com.instagram.android/lib-superpack-zstd/libjpegutils_moz.so
    #03 pc 00000000000020f0  /data/data/com.instagram.android/lib-superpack-zstd/libjpegutils_moz.so
    #04 pc 0000000000005040  /data/data/com.instagram.android/lib-superpack-zstd/libcj_moz.so
    #05 pc 0000000001dff548  /data/app/com.instagram.android-2/oat/arm64/base.odex (offset 0x1df9000)

Registers:

x0   0000007e45beb580  x1   0000007e43fbc290  x2   0000000000000580  x3   0000007e497205d8
    x4   0000000000000000  x5   0000007e4971ede0  x6   0000007e45bffff0  x7   ff808080ff808080
    x8   ff808080ff808080  x9   ff808080ff808080  x10  ff808080ff808080  x11  ff808080ff808080
    x12  ff808080ff808080  x13  ff808080ff808080  x14  ff808080ff808080  x15  00000000fffffff8
    x16  0000007e623e8300  x17  0000007e6a0cc908  x18  0000000000000000  x19  0000007e44de210c
    x20  0000007e44de1c70  x21  0000007e44de1e28  x22  0000007e497205d0  x23  0000007e45bd6500
    x24  0000000000015080  x25  0000000000000004  x26  0000000000015080  x27  1401e8e7bcb066e4
    x28  0000000000000001  x29  0000007e44de2258  x30  0000007e623e6840
    sp   0000007e44de1c20  pc   0000007e6a0cca54  pstate 0000000020000000
    v0   00000000000000008080808080808080  v1   00000000000000007169a497d3f359bb
    v2   ff80ff80ff80ff80ff80ff80ff80ff80  v3   00000000000000000000000000000000
    v4   00000000000000008080808080808080  v5   00000000000000008080808080808080
    v6   00000000000000000000000000000000  v7   00000000000000000000000000000000
    v8   00000000000000000000000000000000  v9   00000000000000000000000000000000
    v10  00000000000000000000000000000000  v11  00000000000000000000000000000000
    v12  00000000000000000000000000000000  v13  00000000000000000000000000000000
    v14  00000000000000000000000000000000  v15  00000000000000000000000000000000
    v16  80808080808080808080808080808080  v17  00000000000000000000000000000000
    v18  80808080808080808080808080808080  v19  00000000000000000000000000000000
    v20  00800080008000800080008000800080  v21  00000000000000000000000000000000
    v22  00000000000000000000000000000000  v23  00000000000000000000000000000000
    v24  00800080008000800080008000800080  v25  00000000000000000000000000000000
    v26  00000000000000000000000000000000  v27  00000000000000000000000000000000
    v28  00800080008000800080008000800080  v29  80808080808080808080808080808080
    v30  00000000000000000000000000000000  v31  80808080808080808080808080808080
    fpsr 08000013  fpcr 00000000

Reproduce:
We need to push the malicious JPEG on the device

  1. Navigate to the location you’ve pushed your image on the device
  2. Tap the image and the share icon will pop on the top-right of the screen
  3. Tap the share icon and all sharing possibilities will pop on the screen
  4. Tap one of the instagram icons feed or stories and the vulnerability will trigger

It’s also possible to use the regular ways to upload a photo/story that will cause the same effect

  1. Open Instagram. Tap the Instagram app icon, which resembles a multicolored camera front
  2. Tap +. It’s at the bottom-center of the screen.
  3. Select an upload option.
  4. Take or select the malicious JPEG
  5. Tap Next. and the vulnerability will trigger

Attachments

  • Tombstone file with extra data about the crash
  • crash.jpeg the malicious JPEG file

Attachments:
crash.jpeg
tombstone

References:
https://www.facebook.com/security/advisories/cve-2020-1895
https://research.checkpoint.com/2020/instagram_rce-code-execution-vulnerability-in-instagram-app-for-android-and-ios/