LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking

EDB-ID:

42171

CVE:


EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Android

Date:

2017-06-13

Vulnerable App: 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222

There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer, 
resulting in an out-of-bounds heap read.

The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.

See attached for a crash poc. This issue probably allows leaking mediaserver 
memory from an app process on the device via the retrieved metadata.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 10423, tid: 10533, name: Binder_2  >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
    r0 ef5aff40  r1 f05bfff5  r2 00f5007f  r3 00000000
    r4 f050b280  r5 f0510000  r6 00ffffff  r7 00000000
    r8 000000b5  r9 00000034  sl 00000000  fp f05455a0
    ip f05e2e1c  sp f06f35c8  lr f05d8c9d  pc f71d77b4  cpsr 200b0010

backtrace:
    #00 pc 000177b4  /system/lib/libc.so (__memcpy_base+88)
    #01 pc 00003c99  /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
    #02 pc 00006a87  /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
    #03 pc 00024a93  /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
    #04 pc 00022aa9  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
    #05 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
    #06 pc 000d66db  /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
    #07 pc 000591e3  /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
    #08 pc 0008e329  /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
    #09 pc 00019931  /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
    #10 pc 0001eccb  /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
    #11 pc 0001ee35  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
    #12 pc 0001ee99  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
    #13 pc 00023909  /system/lib/libbinder.so
    #14 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #15 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #16 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42171.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services