Wednesday, 26. August 2015

Revisiting CVE-2015-3823: Mediaserver Bug Leads To Heap Overflow, Too

Issues surrounding the Android mediaserver component continue. It has been brought to our attention that a vulnerability (CVE-2015-3823) could (theoretically) be used for arbitrary code execution as well. On August 23, Google raised the severity of this vulnerability to “critical”, indicating that code execution was possible. We have previously discussed how this bug in the mediaserver component of Android could lock devices in an endless reboot loop.

To recap, the vulnerability is an integer overflow in parsing .MKV files, which causes the device to fall into an endless loop and heap overflow when reading video frames. Users could encounter a malicious .MKV file via a malicious app or by opening a malicious video file.

We earlier noted how this could be used to, in effect, stop the device from working. If this vulnerability is used to run arbitrary code, then the attacker would be able to run code with the permissions of mediaserver. The code is shown below:

If an attacker exploits this heap overflow successfully, they would be able to run their code with the same permissions that mediaserver already has as part of its normal routines. Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. However, unlike “good” exploits, it is very difficult to control the flow of execution. This makes a practical exploit much more difficult.

End users can block this threat from the onset by downloading Trend Micro Mobile Security (TMMS), which can detect threats like malicious apps that may exploit this vulnerability. We also recommend that device manufacturers regularly patch their devices’ OS to prevent users suffering from attacks such as the ones discussed.