-
-
[讨论][分享]关于最近很火的安卓stagefright漏洞
-
发表于: 2015-7-29 12:41
-
新人貌似只能在这里发帖,
求转正
求漏洞的poc
求讨论出poc
本人菜鸟,求指正
这个漏洞被归属于
CVE-2015-1538
CVE-2015-1539
CVE-2015-3824
CVE-2015-3826
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
参考网站:
1.87fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2*7K9h3#2H3k6i4u0A6N6h3#2Q4x3X3g2U0L8$3#2Q4x3V1k6W2P5s2m8W2M7Y4c8K6i4K6u0V1k6X3!0#2L8X3c8Q4x3X3c8S2i4K6u0V1N6h3&6A6j5$3!0J5L8W2)9J5k6r3W2F1i4K6u0V1N6r3S2W2i4K6u0V1K9r3g2S2M7Y4c8Q4x3X3c8G2k6W2)9J5k6r3q4F1k6s2u0G2K9h3c8Q4x3V1k6Q4c8f1k6Q4b7V1y4Q4z5o6S2Q4c8e0g2Q4z5p5k6Q4b7f1k6Q4c8e0S2Q4z5o6y4Q4b7V1c8Q4c8e0W2Q4z5f1y4Q4z5o6m8Q4c8e0S2Q4b7e0k6Q4z5o6q4Q4c8e0N6Q4b7e0N6Q4z5e0q4Q4c8e0g2Q4b7f1c8Q4b7e0k6Q4c8e0c8Q4b7U0S2Q4z5p5q4Q4c8e0N6Q4b7V1c8Q4z5e0q4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4z5p5k6Q4z5e0q4Q4c8e0N6Q4z5p5g2Q4b7U0m8Q4c8e0S2Q4b7V1k6Q4z5e0W2Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0k6Q4b7V1y4Q4z5p5k6Q4c8e0k6Q4b7U0c8Q4z5f1g2Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0c8Q4b7V1c8Q4z5f1y4Q4c8e0S2Q4z5o6m8Q4z5o6g2Q4c8e0N6Q4z5f1q4Q4z5o6c8T1L8r3!0Y4i4@1g2r3i4@1u0o6i4K6R3&6
2.f89K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6@1K9s2u0W2j5i4c8H3L8%4y4@1i4K6u0W2j5$3!0E0i4K6u0r3j5h3&6V1M7X3!0A6k6q4)9J5k6s2y4@1j5h3N6W2k6Y4u0A6k6$3S2@1i4K6u0V1k6X3I4S2N6%4y4Q4x3X3c8H3N6i4c8Q4x3X3b7&6y4e0m8Q4x3X3c8E0K9h3I4D9K9h3!0F1i4K6u0V1k6r3g2$3K9h3y4W2M7#2)9J5k6r3q4@1i4K6u0V1M7X3W2K6K9#2)9J5c8U0p5I4x3K6V1$3x3q4)9J5z5q4!0q4z5q4!0n7c8W2)9&6z5g2!0q4y4q4!0n7z5q4!0m8b7g2!0q4y4q4!0n7z5g2)9&6c8W2!0q4y4W2)9&6z5q4!0m8c8W2!0q4y4W2)9&6y4W2!0n7x3q4!0q4z5g2)9&6y4#2!0n7b7W2!0q4y4W2)9^5b7g2!0m8y4g2!0q4z5g2)9^5x3g2)9&6x3#2)9J5z5b7`.`.
3.e3bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6J5k6h3g2T1N6h3k6Q4x3X3g2U0L8$3#2Q4x3V1k6F1k6i4N6K6i4K6u0r3y4K6x3@1x3e0q4Q4x3X3g2Z5N6r3#2D9i4K6t1^5i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1$3i4K6V1$3i4@1t1H3i4@1f1&6i4K6V1%4i4@1u0n7i4@1f1$3i4K6S2m8i4@1p5#2i4@1f1&6i4K6R3I4i4K6V1K6i4K6t1&6
4.3b6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3k6J5k6h3g2T1N6h3k6Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7Y4c8A6j5$3I4W2M7#2)9J5c8Y4c8W2M7X3#2A6L8X3q4D9i4K6u0r3y4K6x3#2x3e0N6Q4x3X3g2Z5N6r3#2D9i4K6t1$3L8X3u0K6M7q4)9K6b7W2!0q4c8W2!0n7b7#2)9^5z5q4!0q4z5q4!0n7c8W2)9&6z5g2!0q4y4q4!0n7z5q4!0m8b7g2!0q4z5g2)9^5y4#2)9^5b7#2!0q4z5g2)9&6c8q4!0m8x3W2!0q4y4W2)9&6b7#2)9^5z5g2!0q4y4q4!0n7z5q4)9^5x3q4!0q4y4#2)9^5x3W2!0n7z5g2!0q4y4q4!0n7c8W2!0m8x3g2!0q4y4W2)9^5x3g2!0m8c8W2!0q4c8W2!0n7b7#2)9^5z5b7`.`.
伪详情:
出问题代码在media/libstagefright/MPEG4Extractor.cpp,media/libstagefright/SampleTable.cpp,
media/libstagefright/ESDS.cpp
其中修复最多的为MPEG4Extractor.cpp 共7处
SampleTable.cpp,4处
ESDS.cpp,3处
附件会提供这些文件及其相关的头文件(修复前和修复后),希望尽可能快的讨论出来一个利用方法,最好是在8月份之前。:)举其中一个例子,参考网站4里面有一些这些例子之外的其他例子,也可以使用diff工具进行对比。这次已知的漏洞一共三种类型,越界读取漏洞,整数下溢漏洞,整数溢出漏洞。其中SampleTable.cpp中修复了一个高危级别的整数溢出漏洞。
下面举一个,越界读取漏洞:MPEG4Extractor.cpp(这个漏洞的部分修复,不完全)
====我割====修复前====
status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {
/*注意考虑size*/
if (size < 4 ) {
return ERROR_MALFORMED;
}
/*注意*/
uint8_t *buffer = new (std::nothrow) uint8_t[size];
if (buffer == NULL) {
return ERROR_MALFORMED;
}
if (mDataSource->readAt(
offset, buffer, size) != (ssize_t)size) {
delete[] buffer;
buffer = NULL;
return ERROR_IO;
}
====再割====修复后====
status_t MPEG4Extractor::parse3GPPMetaData(off64_t offset, size_t size, int depth) {
/*注意*/
if (size < 4 || size == SIZE_MAX) {
return ERROR_MALFORMED;
}
/*注意*/
uint8_t *buffer = new (std::nothrow) uint8_t[size + 1];
if (buffer == NULL) {
return ERROR_MALFORMED;
}
if (mDataSource->readAt(
offset, buffer, size) != (ssize_t)size) {
delete[] buffer;
buffer = NULL;
return ERROR_IO;
}
====分析====个人理解,望不吝指教====
parse3GPPMetaData这个函数如果不是以NUL结尾的话,
if (buffer[size - 1] != '\0') {
char tmp[4];
sprintf(tmp, "%u", buffer[size - 1]);
mFileMetaData->setCString(kKeyCDTrackNumber, tmp);
setCString不知道哪里结束,就会发生越界读取。
========
详情见附件 说明.txt
附件:dc9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4m8S2L8W2)9J5k6h3u0S2K9h3c8#2i4K6u0W2j5$3!0E0i4K6u0r3M7$3S2S2M7X3g2Q4x3V1k6D9K9h3&6C8i4K6y4r3M7$3S2S2M7X3g2A6k6q4)9K6c8o6p5%4x3U0t1H3z5e0x3J5y4o6y4Q4x3U0k6#2K9#2)9K6c8o6p5@1y4U0l9%4y4K6R3H3x3K6f1`.
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
