Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About the recently popular Android stagefright loophole

2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Rotation

Title: [discussion] [share] about the recent popularity of Android stagefright vulnerabilities

By: minczsys

From time to time: 2015-07-29, 12, 14, 41, 42

Link http://bbs.pediy.com/showthread.php?t=202868

It seems that newcomers can only post here.

Seek to become a regular employee

Poc for vulnerabilities

To discuss the poc

I am a rookie, ask for correction

This loophole is attributed to

CVE-2015-1538

CVE-2015-1539

CVE-2015-3824

CVE-2015-3826

CVE-2015-3827

CVE-2015-3828

CVE-2015-3829

Reference website:

1. Http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ (blog of the author who may need scientific access to the Internet to discover this loophole)

2. Https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960(, this is also a news report)

3. Http://www.freebuf.com/news/73411.html(, this is a news report)

4. Http://www.freebuf.com/articles/terminal/73517.html (there is a little information in this)

False details:

The problem code is in media/libstagefright/MPEG4Extractor.cpp,media/libstagefright/SampleTable.cpp.

Media/libstagefright/ESDS.cpp

Among them, 7 sites of MPEG4Extractor.cpp were repaired the most.

SampleTable.cpp,4

ESDS.cpp,3

Attachments will provide these files and their associated header files (before and after repair), hoping to discuss a way to use them as soon as possible, preferably before August. :) to give one of the examples, refer to website 4 for some examples other than these examples, which can also be compared with the diff tool. There are three types of vulnerabilities known this time, namely, out-of-bounds read vulnerability, integer underflow vulnerability and integer overflow vulnerability. A high-risk integer overflow vulnerability has been fixed in SampleTable.cpp.

Here's an example of an out-of-bounds read vulnerability: MPEG4Extractor.cpp (partial fix of this vulnerability, incomplete)

= = before repair =

Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {

/ * pay attention to size*/

If (size

< 4 ) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->

ReadAt (

Offset, buffer, size)! = (ssize_t) size) {

Delete [] buffer

Buffer = NULL

Return ERROR_IO

}

= after repair =

Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {

/ * Note * /

If (size

< 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->

ReadAt (

Offset, buffer, size)! = (ssize_t) size) {

Delete [] buffer

Buffer = NULL

Return ERROR_IO

}

= = Analysis = personal understanding, please do not hesitate to give me your advice

The function parse3GPPMetaData, if it doesn't end in NUL,

If (buffer [size-1]! ='\ 0') {

Char tmp [4]

Sprintf (tmp, "% u", buffer [size-1])

MFileMetaData- > setCString (kKeyCDTrackNumber, tmp)

An out-of-bounds read occurs when the setCString does not know where it ends.

=

For details, please see the attached description .txt.

Attachment: http://pan.baidu.com/share/link?shar...&uk=1460778035

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report