LG MRA58K – ‘ASFParser::ParseHeaderExtensionObjects’ Missing Bounds-Checking

• Exploit Database
• 117 阅读

• 作者： Google Security Research
  日期： 2017-06-13
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/42171/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

  Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222   There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn&apos;t check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read.   The vulnerable code appears to be in handling the parsing of an extension object of type ASF_Metadata_Object with a Description Record with an overly large length.   See attached for a crash poc. This issue probably allows leaking mediaserver memory from an app process on the device via the retrieved metadata.   Build fingerprint: &apos;lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys&apos; Revision: &apos;11&apos; ABI: &apos;arm&apos; pid: 10423, tid: 10533, name: Binder_2>>> /system/bin/mediaserver <<< signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000 r0 ef5aff40r1 f05bfff5r2 00f5007fr3 00000000 r4 f050b280r5 f0510000r6 00ffffffr7 00000000 r8 000000b5r9 00000034sl 00000000fp f05455a0 ip f05e2e1csp f06f35c8lr f05d8c9dpc f71d77b4cpsr 200b0010   backtrace: #00 pc 000177b4/system/lib/libc.so (__memcpy_base+88) #01 pc 00003c99/system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436) #02 pc 00006a87/system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50) #03 pc 00024a93/system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270) #04 pc 00022aa9/system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104) #05 pc 000c033b/system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242) #06 pc 000d66db/system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34) #07 pc 000591e3/system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82) #08 pc 0008e329/system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468) #09 pc 00019931/system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60) #10 pc 0001eccb/system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550) #11 pc 0001ee35/system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64) #12 pc 0001ee99/system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48) #13 pc 00023909/system/lib/libbinder.so #14 pc 000100d1/system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112) #15 pc 0003f9ab/system/lib/libc.so (_ZL15__pthread_startPv+30) #16 pc 0001a0c5/system/lib/libc.so (__start_thread+6)     Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42171.zip