ID CVE-2015-3864
Summary Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.
References
Vulnerable Configurations
  • Google Android 5.1
    cpe:2.3:o:google:android:5.1
CVSS
Base: 10.0 (as of 03-10-2016 - 16:04)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
  • description Android libstagefright - Integer Overflow Remote Code Execution. CVE-2015-3864. Remote exploit for android platform
    file exploits/android/remote/38226.py
    id EDB-ID:38226
    last seen 2016-02-04
    modified 2015-09-17
    platform android
    port
    published 2015-09-17
    reporter Google Security Research
    source https://www.exploit-db.com/download/38226/
    title Android libstagefright - Integer Overflow Remote Code Execution
    type remote
  • description Metaphor - Stagefright Exploit with ASLR Bypass. CVE-2015-3864. Remote exploit for android platform
    file exploits/android/remote/39640.txt
    id EDB-ID:39640
    last seen 2016-03-30
    modified 2016-03-30
    platform android
    port
    published 2016-03-30
    reporter NorthBit
    source https://www.exploit-db.com/download/39640/
    title Metaphor - Stagefright Exploit with ASLR Bypass
    type remote
  • description Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit). CVE-2015-3864. Remote exploit for Android platform. Tags:
    file exploits/android/remote/40436.rb
    id EDB-ID:40436
    last seen 2016-09-28
    modified 2016-09-27
    platform android
    port
    published 2016-09-27
    reporter Metasploit
    source https://www.exploit-db.com/download/40436/
    title Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)
    type remote
metasploit via4
description This module exploits an integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically. NOTE: the mediaserver process on many Android devices (Nexus, for example) is constrained by SELinux and thus cannot use the execve system call. To avoid this problem, the original exploit uses a kernel exploit payload that disables SELinux and spawns a shell as root. Work is underway to make the framework more amenable to these types of situations. Until that work is complete, this exploit will only yield a shell on devices without SELinux or with SELinux in permissive mode.
id MSF:EXPLOIT/ANDROID/BROWSER/STAGEFRIGHT_MP4_TX3G_64BIT
last seen 2019-03-30
modified 2018-08-27
published 2016-09-23
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb
title Android Stagefright MP4 tx3g Integer Overflow
packetstorm via4
data source https://packetstormsecurity.com/files/download/138853/stagefright_mp4_tx3g_64bit.rb.txt
id PACKETSTORM:138853
last seen 2016-12-05
published 2016-09-27
reporter jduck
source https://packetstormsecurity.com/files/138853/Android-Stagefright-MP4-tx3g-Integer-Overflow.html
title Android Stagefright MP4 tx3g Integer Overflow
refmap via4
bid 76682
confirm https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968
exploit-db
  • 38226
  • 39640
  • 40436
misc
mlist [android-security-updates] 20150909 Nexus Security Bulletin (September 2015)
the hacker news via4
Last major update 02-01-2017 - 22:00
Published 30-09-2015 - 20:59
Last modified 15-09-2017 - 21:29
Back to Top