0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
LG MRA58K - ASFParser::ParseHeaderExtensionObjects Missing Bounds-Checking Exploit
[Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222
There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer,
resulting in an out-of-bounds heap read.
The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.
See attached for a crash poc. This issue probably allows leaking mediaserver
memory from an app process on the device via the retrieved metadata.
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 10423, tid: 10533, name: Binder_2 >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
r0 ef5aff40 r1 f05bfff5 r2 00f5007f r3 00000000
r4 f050b280 r5 f0510000 r6 00ffffff r7 00000000
r8 000000b5 r9 00000034 sl 00000000 fp f05455a0
ip f05e2e1c sp f06f35c8 lr f05d8c9d pc f71d77b4 cpsr 200b0010
backtrace:
#00 pc 000177b4 /system/lib/libc.so (__memcpy_base+88)
#01 pc 00003c99 /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
#02 pc 00006a87 /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
#03 pc 00024a93 /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
#04 pc 00022aa9 /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
#05 pc 000c033b /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
#06 pc 000d66db /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
#07 pc 000591e3 /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
#08 pc 0008e329 /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
#09 pc 00019931 /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
#10 pc 0001eccb /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
#11 pc 0001ee35 /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
#12 pc 0001ee99 /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
#13 pc 00023909 /system/lib/libbinder.so
#14 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
#15 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
#16 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42171.zip
# 0day.today [2024-07-07] #