One-Click RCE: Exploiting Samsung’s SecVideoEngineService via Malicious RTP Packets

TLDR: Researchers at Black Hat 2024 demonstrated a critical remote code execution chain targeting Samsung’s SecVideoEngineService through malformed RTP/RTCP packets. By chaining heap overflows and information leaks, an attacker can bypass ASLR and CFI protections to gain a full remote shell on a target device with a single video call. This research highlights the massive, often overlooked attack surface present in carrier-provided IMS implementations on modern Android devices.

The mobile security community often fixates on high-profile messaging apps like WhatsApp or Signal, but the underlying carrier-provided infrastructure remains a massive, under-audited attack surface. During a recent briefing at Black Hat, researchers exposed a series of vulnerabilities in Samsung’s SecVideoEngineService that turn a standard video call into a weaponized delivery vector. This is not a theoretical exercise; it is a practical demonstration of how complex, high-privilege system services can be compromised by simply sending a malformed packet over a cellular network.

The Attack Surface: IMS and RTP Processing

The SecVideoEngineService is a core system application on Samsung devices responsible for encoding and decoding video streams. It runs with high privileges and is accessible remotely, making it a prime target for researchers looking for memory corruption bugs. The service handles RTP (Real-time Transport Protocol) and RTCP (RTP Control Protocol) packets, which are the backbone of video calling.

The researchers identified three distinct vulnerabilities: CVE-2024-34587, CVE-2024-34588, and CVE-2024-34593. These bugs center on the improper validation of packet lengths during the parsing of RTCP packets. When the service receives a packet, it fails to verify that the length of the incoming data matches the allocated buffer size, leading to heap overflows.

Chaining Primitives for RCE

Exploiting these vulnerabilities requires a precise chain of primitives. The researchers first used an out-of-bounds read to leak memory addresses, effectively bypassing ASLR. By sending a specially crafted RTCP packet, they forced the service to disclose sensitive pointers from the heap. This leak was crucial for locating the CTransportManager object, which contains the function pointers necessary for hijacking the control flow.

Once the memory layout was mapped, the researchers utilized a "memory elevator" technique. By repeatedly triggering the heap overflow, they could move data across the heap, eventually overwriting a function pointer within the CTransportManager object. The target was the CallbackEvent function pointer. By redirecting this pointer to a gadget within the libsec_videoengine.so library, they gained control over the program counter.

The final payload involved calling the system function to execute a command. Because the target environment had CFI (Control Flow Integrity) enabled on newer models like the Galaxy S22 and S23, the researchers had to be extremely careful. They bypassed these protections by identifying a three-step jump sequence that allowed them to redirect execution to their shellcode without triggering the CFI violation.

Real-World Implications for Pentesters

For those performing mobile security assessments, this research serves as a reminder that the most dangerous bugs are often found in the "plumbing" of the OS. When auditing Android devices, focus on system services that handle complex, binary-heavy protocols like RTP, H.264, or SIP. These services are often written in C/C++ and are frequently updated, making them prone to memory management errors.

If you are testing a device, use Wireshark to capture the traffic during a video call and look for anomalies in the RTCP signaling. The researchers used Ghidra for static analysis and GDB for dynamic debugging to identify the exact offsets for their gadgets. A successful exploit on a target device during a pentest would look like a sudden, unexplained crash followed by a reverse shell connection back to your listener.

Defensive Considerations

The primary defense against these types of attacks is rigorous input validation. Developers must ensure that every packet length field is checked against the actual buffer size before any copy operation occurs. Furthermore, the use of memory-safe languages for parsing complex protocols can eliminate entire classes of vulnerabilities.

For blue teams, monitoring for unusual traffic patterns in IMS signaling is essential. While these attacks are difficult to detect at the network level due to encryption, endpoint detection and response (EDR) solutions on mobile devices should be configured to flag unexpected execution of system commands originating from media-processing services.

This research is a masterclass in exploit development, demonstrating how a deep understanding of memory layout and protocol internals can turn a seemingly minor validation error into a full system compromise. As we move forward, the focus must remain on hardening these critical, high-privilege services that bridge the gap between external network traffic and internal system execution. Keep an eye on the researchers' Twitter feed for the promised blog post, which will likely contain the full technical breakdown of their exploit chain.