In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-06 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Rotation
Title: [discussion] [share] about the recent popularity of Android stagefright vulnerabilities
By: minczsys
From time to time: 2015-07-29, 12, 14, 41, 42
Link http://bbs.pediy.com/showthread.php?t=202868
It seems that newcomers can only post here.
Seek to become a regular employee
Poc for vulnerabilities
To discuss the poc
I am a rookie, ask for correction
This loophole is attributed to
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
Reference website:
1. Http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ (blog of the author who may need scientific access to the Internet to discover this loophole)
2. Https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960(, this is also a news report)
3. Http://www.freebuf.com/news/73411.html(, this is a news report)
4. Http://www.freebuf.com/articles/terminal/73517.html (there is a little information in this)
False details:
The problem code is in media/libstagefright/MPEG4Extractor.cpp,media/libstagefright/SampleTable.cpp.
Media/libstagefright/ESDS.cpp
Among them, 7 sites of MPEG4Extractor.cpp were repaired the most.
SampleTable.cpp,4
ESDS.cpp,3
Attachments will provide these files and their associated header files (before and after repair), hoping to discuss a way to use them as soon as possible, preferably before August. :) to give one of the examples, refer to website 4 for some examples other than these examples, which can also be compared with the diff tool. There are three types of vulnerabilities known this time, namely, out-of-bounds read vulnerability, integer underflow vulnerability and integer overflow vulnerability. A high-risk integer overflow vulnerability has been fixed in SampleTable.cpp.
Here's an example of an out-of-bounds read vulnerability: MPEG4Extractor.cpp (partial fix of this vulnerability, incomplete)
= = before repair =
Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {
/ * pay attention to size*/
If (size
< 4 ) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->ReadAt (
Offset, buffer, size)! = (ssize_t) size) {
Delete [] buffer
Buffer = NULL
Return ERROR_IO
}
= after repair =
Status_t MPEG4Extractor::parse3GPPMetaData (off64_t offset, size_t size, int depth) {
/ * Note * /
If (size
< 4 || size == SIZE_MAX) { return ERROR_MALFORMED; } /*注意*/ uint8_t *buffer = new (std::nothrow) uint8_t[size + 1]; if (buffer == NULL) { return ERROR_MALFORMED; } if (mDataSource->ReadAt (
Offset, buffer, size)! = (ssize_t) size) {
Delete [] buffer
Buffer = NULL
Return ERROR_IO
}
= = Analysis = personal understanding, please do not hesitate to give me your advice
The function parse3GPPMetaData, if it doesn't end in NUL,
If (buffer [size-1]! ='\ 0') {
Char tmp [4]
Sprintf (tmp, "% u", buffer [size-1])
MFileMetaData- > setCString (kKeyCDTrackNumber, tmp)
An out-of-bounds read occurs when the setCString does not know where it ends.
=
For details, please see the attached description .txt.
Attachment: http://pan.baidu.com/share/link?shar...&uk=1460778035
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.