LG MRA58K – ‘ASFParser::ParseHeaderExtensionObjects’ Missing Bounds-Checking

• Exploit Database
• 15 阅读

• 作者： Google Security Research
  日期： 2017-06-13
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/42171/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222
  
  There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
  that the size of the copy is smaller than the size of the source buffer, 
  resulting in an out-of-bounds heap read.
  
  The vulnerable code appears to be in handling the parsing of an extension object of
  type ASF_Metadata_Object with a Description Record with an overly large length.
  
  See attached for a crash poc. This issue probably allows leaking mediaserver 
  memory from an app process on the device via the retrieved metadata.
  
  Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
  Revision: '11'
  ABI: 'arm'
  pid: 10423, tid: 10533, name: Binder_2>>> /system/bin/mediaserver <<<
  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
  r0 ef5aff40r1 f05bfff5r2 00f5007fr3 00000000
  r4 f050b280r5 f0510000r6 00ffffffr7 00000000
  r8 000000b5r9 00000034sl 00000000fp f05455a0
  ip f05e2e1csp f06f35c8lr f05d8c9dpc f71d77b4cpsr 200b0010
  
  backtrace:
  #00 pc 000177b4/system/lib/libc.so (__memcpy_base+88)
  #01 pc 00003c99/system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
  #02 pc 00006a87/system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
  #03 pc 00024a93/system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
  #04 pc 00022aa9/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
  #05 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
  #06 pc 000d66db/system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
  #07 pc 000591e3/system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
  #08 pc 0008e329/system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
  #09 pc 00019931/system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
  #10 pc 0001eccb/system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
  #11 pc 0001ee35/system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
  #12 pc 0001ee99/system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
  #13 pc 00023909/system/lib/libbinder.so
  #14 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
  #15 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30)
  #16 pc 0001a0c5/system/lib/libc.so (__start_thread+6)
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42171.zip