Title: Vulnerability in Android library while parsing MP3 audio files
Advisory ID: CVE-2015-6604
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones/#seguridad-en-tic
Date published: 2016-1-22
Date of last update: 2015-12-01
Vendors contacted: Google
Release mode: Coordinated release
Class: Integer Overflow to Buffer Overflow [http://cwe.mitre.org/data/definitions/680.html]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-6604
Stagefright is a media library running in Android devices used as a backend engine for playing various multimedia formats such as MP3, MKV, MP4, etc.
A vulnerability exists in the library that is triggered when procesing a malformed ID3 header in an MP3 audio file. The bug can be used by a potential attacker to perform arbitrary operations on the victim device.
In order to exploit the problem an attacker would need a victim to open an MP3 audio file that includes an specially crafted ID3 header for the attack. This could be done via sending an MMS message to the device, tricking the user into browsing a site controlled by the attacker or sending it via to app installed in the victim's device such as an instant messaging app.
The problem was assigned as critical severity by the vendor (Google) and it affects around 93% of Android mobile devices around the world.
- Android Lollipop 5.1.1 without October security updates.
Vendor fixed issue in the Android Open Source Project (AOSP) repository on October 2015 and notified it's partners on September 10, 2015. The problem was independently found by Ian Beer of Google's P0 and Joshua Drake of Zimperium.
This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa Seguridad en TIC.
In libstagefright the MP3Extrator parses ID3 metadata using the parseV2 method in http://androidxref.com/5.1.1_r6/xref/frameworks/av/media/libstagefright/id3/ID3.cpp#118 Upon encountering an ID3 header specifying a major version equal to 4 the following code is reached:
195 if (header.version_major == 4) {
196 void *copy = malloc(size);
197 memcpy(copy, mData, size);
198
199 bool success = removeUnsynchronizationV2_4(false /* iTunesHack */);
200 if (!success) {
201 memcpy(mData, copy, size);
202 mSize = size;
203
204 success = removeUnsynchronizationV2_4(true /* iTunesHack */);
205
If the first call to removeUnsynchronizationV2_4 fails, the second call (with iTunesHack == true) will use user supplier data to determine if the provided datasize is within bounds:
326 bool ID3::removeUnsynchronizationV2_4(bool iTunesHack) {
327 size_t oldSize = mSize;
328
329 size_t offset = 0;
330 while (offset + 10 <= mSize) {
331 if (!memcmp(&mData[offset], "\0\0\0\0", 4)) {
332 break;
333 }
334
335 size_t dataSize;
336 if (iTunesHack) {
337 dataSize = U32_AT(&mData[offset + 4]);
338 } else if (!ParseSyncsafeInteger(&mData[offset + 4], &dataSize)) {
339 return false;
340 }
341
342 if (offset + dataSize + 10 > mSize) {
343 return false;
344 }
On the first call iTunesHack is set to false and therefore the dataSize variable is filled in calling http://androidxref.com/5.1.1_r6/xref/frameworks/av/media/libstagefright/id3/ID3.cpp#ParseSyncsafeInteger which will fail if the supplied integer has the sign bit set.
However, on the second call (ITunesHack set to true) the dataSize variable will be loaded directly from the input buffer. A large enough integer will make the sum in line 342 overflow and thus pass the bounds check.
Later on the dataSize variable is used in a loop to iterate over the input buffer and copy data past the array bound of the output buffer as seen below:
365 for (size_t i = 0; i + 1 < dataSize; ++i) {
366 if (mData[readOffset - 1] == 0xff
367 && mData[readOffset] == 0x00) {
368 ++readOffset;
369 --mSize;
370 --dataSize;
371 }
372 mData[writeOffset++] = mData[readOffset++];
373 }
374 // move the remaining data following this frame
375 memmove(&mData[writeOffset], &mData[readOffset], oldSize - readOffset);
376
-
2015-08-18: Technical details of the vulnerabilities sent to the vendor.
-
2015-08-12: The vendor marked the vulnerability as a duplicate of a previously reported issue by Project Zero and had a 90 day deadline.
-
2015-08-12: The vendor merged issue 182510 into the reported issue.
-
2015-08-12: The vendor notified that a fix for the bug was merged into the internal branches.
-
2015-10-05: Nexus security bulletin - October 2015 published.
-
2015-10-09: Vendor released a patch in Android Open Source Project (AOSP) repository.
-
2015-10-09: Programa STIC notified the vendor that the CVE assigned in the Nexus Security Updates Bulletin from October 2015 was incorrect and that the right CVE seemed to be CVE-2015-6604.
-
2016-1-22: Advisory was released.
The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar
The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/