Vulnerabilities > CVE-2018-10751 - Integer Overflow or Wraparound vulnerability in Samsung Mobile

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
samsung
CWE-190
exploit available

Summary

A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. The Samsung ID is SVE-2018-11463.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Exploit-Db

descriptionSamsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing. CVE-2018-10751. Dos exploit for Android platform
fileexploits/android/dos/44724.txt
idEDB-ID:44724
last seen2018-05-24
modified2018-05-23
platformandroid
port
published2018-05-23
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44724/
titleSamsung Galaxy S7 Edge - Overflow in OMACP WbXml String Extension Processing
typedos

Seebug

bulletinFamilyexploit
descriptionOMACP is a protocol supported by many mobile devices which allows them to receive provisioning information over the mobile network. One way to provision a device is via a WAP push SMS message containing provisioning information in WbXML. A malformed OMACP WAP push message can cause memory corruption on a Samsung S7 Edge device when processing the String Extension portion of the WbXml payload. This is due to an integer overflow in memory allocation for this string. While OMACP WAP pushes require authentication, the entire WbXml payload of a push is parsed to extract the credentials, so this bug occurs pre-authentication. To reproduce the issue: 1) install the attached Android application on a different phone than the one being tested for the issue 2) manually give the application SMS permissions in the settings screen 3) start the app and enter the phone number on the target device 4) press the "send wap push" button The target phone will crash: 02-20 15:52:56.952 15197 15197 F DEBUG : pid: 15180, tid: 15196, name: IntentService[S >>> com.wsomacp <<< 02-20 15:52:56.952 15197 15197 F DEBUG : signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x731a800000 The WAP payload causing this problem is: 690b6d0733b401506694f4c6504cf6be7224df6199a9c0ec4b76db1f6e262c457fc0553dbb50863dfce2d5c55077c3ffffffff7f777777770A0604B6B6B6B6. Code for the test app is also attached. [app-release.apk](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=325688&signed_aid=gFCPb0XCWZGquhODFARZTA==) [ContentOverflow.zip](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=325689&signed_aid=yOVoAQpRvNW3TnxMwe8mdA==)
idSSV:97330
last seen2018-06-10
modified2018-06-08
published2018-06-08
reporterKnownsec
titleSamsung Galaxy S7 Edge: Overflow in OMACP WbXml String Extension Processing(CVE-2018-10751)