Vulnerabilities > CVE-2015-3864 - Numeric Errors vulnerability in Google Android
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Android libstagefright - Integer Overflow Remote Code Execution. CVE-2015-3864. Remote exploit for android platform file exploits/android/remote/38226.py id EDB-ID:38226 last seen 2016-02-04 modified 2015-09-17 platform android port published 2015-09-17 reporter Google Security Research source https://www.exploit-db.com/download/38226/ title Android libstagefright - Integer Overflow Remote Code Execution type remote description Metaphor - Stagefright Exploit with ASLR Bypass. CVE-2015-3864. Remote exploit for android platform file exploits/android/remote/39640.txt id EDB-ID:39640 last seen 2016-03-30 modified 2016-03-30 platform android port published 2016-03-30 reporter NorthBit source https://www.exploit-db.com/download/39640/ title Metaphor - Stagefright Exploit with ASLR Bypass type remote description Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit). CVE-2015-3864. Remote exploit for Android platform. Tags: file exploits/android/remote/40436.rb id EDB-ID:40436 last seen 2016-09-28 modified 2016-09-27 platform android port published 2016-09-27 reporter Metasploit source https://www.exploit-db.com/download/40436/ title Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit) type remote
Metasploit
| description | This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode. |
| id | MSF:EXPLOIT/ANDROID/BROWSER/STAGEFRIGHT_MP4_TX3G_64BIT |
| last seen | 2020-06-02 |
| modified | 2018-08-27 |
| published | 2016-09-23 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb |
| title | Android Stagefright MP4 tx3g Integer Overflow |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/138853/stagefright_mp4_tx3g_64bit.rb.txt |
| id | PACKETSTORM:138853 |
| last seen | 2016-12-05 |
| published | 2016-09-27 |
| reporter | jduck |
| source | https://packetstormsecurity.com/files/138853/Android-Stagefright-MP4-tx3g-Integer-Overflow.html |
| title | Android Stagefright MP4 tx3g Integer Overflow |
The Hacker News
id THN:CBE57F4D74CF2C6ECA4F05A9FCAB4E12 last seen 2018-01-27 modified 2015-08-14 published 2015-08-14 reporter Swati Khandelwal source https://thehackernews.com/2015/08/hack-android-phone.html title Incomplete 'Stagefright' Security Patch Leaves Android Vulnerable to Text Hack id THN:C8A9DC5FD1C8C72B23F12256EF68B0D8 last seen 2018-01-27 modified 2016-03-17 published 2016-03-16 reporter Swati Khandelwal source https://thehackernews.com/2016/03/exploit-to-hack-android.html title New Exploit to 'Hack Android Phones Remotely' threatens Millions of Devices
References
- http://www.securityfocus.com/bid/76682
- https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968
- https://blog.zimperium.com/cve-2015-3864-metasploit-module-now-available-for-testing/
- https://blog.zimperium.com/reflecting-on-stagefright-patches/
- https://groups.google.com/forum/message/raw?msg=android-security-updates/1M7qbSvACjo/Y7jewiW1AwAJ
- https://www.exploit-db.com/exploits/38226/
- https://www.exploit-db.com/exploits/39640/
- https://www.exploit-db.com/exploits/40436/