header-logo
Suggest Exploit
vendor:
Exynos Seiren Audio Driver
by:
Google Security Research
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Exynos Seiren Audio Driver
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:samsung:exynos_seiren_audio_driver
Metasploit:
Other Scripts:
Platforms Tested: Android (Samsung S6 Edge)

Exynos Seiren Audio Driver Buffer Overflow Vulnerability

The Exynos Seiren Audio driver has a buffer overflow vulnerability in the write() implementation, allowing for memory corruption. The vulnerability can be triggered by writing to the device endpoint (/dev/seiren) with a user-supplied buffer that is not adequately bounds checked.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the patch provided by the vendor or update to a non-vulnerable version of the Exynos Seiren Audio driver. Additionally, access to the vulnerable device endpoint should be restricted to trusted users only.
Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=491

The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflow a static global buffer:

static ssize_t esa_write(struct file *file, const char *buffer,
                                        size_t size, loff_t *pos)
{
        struct esa_rtd *rtd = file->private_data;
        unsigned char *ibuf;
…
        ibuf = rtd->ibuf0;
...
        /* receive stream data from user */
        if (copy_from_user(ibuf, buffer, size)) {
                esa_err("%s: failed to copy_from_user\n", __func__);
                goto err;
        }

Note that the user supplied buffer and size parameters are not adequately bounds checked. The destination buffer is fixed size, so memory corruption can occur. A simple proof-of-concept from a privileged shell can be used to trigger the issue (tested on a Samsung S6 Edge):

# dd if=/dev/zero of=/dev/seiren count=5000000

Navigation

Suggest Exploit

Services By CQR