Vulnerabilities > CVE-2015-3864 - Numeric Errors vulnerability in Google Android

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
google
CWE-189
exploit available
metasploit

Summary

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionAndroid libstagefright - Integer Overflow Remote Code Execution. CVE-2015-3864. Remote exploit for android platform
    fileexploits/android/remote/38226.py
    idEDB-ID:38226
    last seen2016-02-04
    modified2015-09-17
    platformandroid
    port
    published2015-09-17
    reporterGoogle Security Research
    sourcehttps://www.exploit-db.com/download/38226/
    titleAndroid libstagefright - Integer Overflow Remote Code Execution
    typeremote
  • descriptionMetaphor - Stagefright Exploit with ASLR Bypass. CVE-2015-3864. Remote exploit for android platform
    fileexploits/android/remote/39640.txt
    idEDB-ID:39640
    last seen2016-03-30
    modified2016-03-30
    platformandroid
    port
    published2016-03-30
    reporterNorthBit
    sourcehttps://www.exploit-db.com/download/39640/
    titleMetaphor - Stagefright Exploit with ASLR Bypass
    typeremote
  • descriptionAndroid 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit). CVE-2015-3864. Remote exploit for Android platform. Tags:
    fileexploits/android/remote/40436.rb
    idEDB-ID:40436
    last seen2016-09-28
    modified2016-09-27
    platformandroid
    port
    published2016-09-27
    reporterMetasploit
    sourcehttps://www.exploit-db.com/download/40436/
    titleAndroid 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)
    typeremote

Metasploit

descriptionThis module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
idMSF:EXPLOIT/ANDROID/BROWSER/STAGEFRIGHT_MP4_TX3G_64BIT
last seen2020-06-02
modified2018-08-27
published2016-09-23
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb
titleAndroid Stagefright MP4 tx3g Integer Overflow

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/138853/stagefright_mp4_tx3g_64bit.rb.txt
idPACKETSTORM:138853
last seen2016-12-05
published2016-09-27
reporterjduck
sourcehttps://packetstormsecurity.com/files/138853/Android-Stagefright-MP4-tx3g-Integer-Overflow.html
titleAndroid Stagefright MP4 tx3g Integer Overflow

The Hacker News