Shulou(Shulou.com)06/01 Report--

Rotation

Title: [discussion] [share] about the recent popularity of Android stagefright vulnerabilities

By: minczsys

From time to time: 2015-07-29, 12, 14, 41, 42

Link http://bbs.pediy.com/showthread.php?t=202868

It seems that newcomers can only post here.

Seek to become a regular employee

Poc for vulnerabilities

To discuss the poc

I am a rookie, ask for correction

This loophole is attributed to

CVE-2015-1538

CVE-2015-1539

CVE-2015-3824

CVE-2015-3826

CVE-2015-3827

CVE-2015-3828

CVE-2015-3829

Reference website:

1. Http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ (blog of the author who may need scientific access to the Internet to discover this loophole)

2. Https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960(, this is also a news report)

3. Http://www.freebuf.com/news/73411.html(, this is a news report)

4. Http://www.freebuf.com/articles/terminal/73517.html (there is a little information in this)

False details:

The problem code is in media/libstagefright/MPEG4Extractor.cpp,media/libstagefright/SampleTable.cpp.

Media/libstagefright/ESDS.cpp

Among them, 7 sites of MPEG4Extractor.cpp were repaired the most.

SampleTable.cpp,4

ESDS.cpp,3

Attachments will provide these files and their associated header files (before and after repair), hoping to discuss a way to use them as soon as possible, preferably before August. :) to give one of the examples, refer to website 4 for some examples other than these examples, which can also be compared with the diff tool. There are three types of vulnerabilities known this time, namely, out-of-bounds read vulnerability, integer underflow vulnerability and integer overflow vulnerability. A high-risk integer overflow vulnerability has been fixed in SampleTable.cpp.

Here's an example of an out-of-bounds read vulnerability: MPEG4Extractor.cpp (partial fix of this vulnerability, incomplete)

= = before repair =

Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {

/ * pay attention to size*/

If (size

< 4 ) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->

ReadAt (

Offset, buffer, size)! = (ssize_t) size) {

Delete [] buffer

Buffer = NULL

Return ERROR_IO

}

= after repair =

Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {

/ * Note * /

If (size

< 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->

ReadAt (

Offset, buffer, size)! = (ssize_t) size) {

Delete [] buffer

Buffer = NULL

Return ERROR_IO

}

= = Analysis = personal understanding, please do not hesitate to give me your advice

The function parse3GPPMetaData, if it doesn't end in NUL,

If (buffer [size-1]! ='\ 0') {

Char tmp [4]

Sprintf (tmp, "% u", buffer [size-1])

MFileMetaData- > setCString (kKeyCDTrackNumber, tmp)

An out-of-bounds read occurs when the setCString does not know where it ends.

=

For details, please see the attached description .txt.

Attachment: http://pan.baidu.com/share/link?shar...&uk=1460778035

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.