Out-of-bounds Heap Read in ASFParser::ParseHeaderExtensionObjects

vendor:

by:

Project Zero

7.5

CVSS

HIGH

Out-of-bounds Heap Read

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Out-of-bounds Heap Read in ASFParser::ParseHeaderExtensionObjects

There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check that the size of the copy is smaller than the size of the source buffer, resulting in an out-of-bounds heap read. The vulnerable code appears to be in handling the parsing of an extension object of type ASF_Metadata_Object with a Description Record with an overly large length. This issue probably allows leaking mediaserver memory from an app process on the device via the retrieved metadata.

Mitigation:

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222

There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
that the size of the copy is smaller than the size of the source buffer, 
resulting in an out-of-bounds heap read.

The vulnerable code appears to be in handling the parsing of an extension object of
type ASF_Metadata_Object with a Description Record with an overly large length.

See attached for a crash poc. This issue probably allows leaking mediaserver 
memory from an app process on the device via the retrieved metadata.

Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
Revision: '11'
ABI: 'arm'
pid: 10423, tid: 10533, name: Binder_2  >>> /system/bin/mediaserver <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
    r0 ef5aff40  r1 f05bfff5  r2 00f5007f  r3 00000000
    r4 f050b280  r5 f0510000  r6 00ffffff  r7 00000000
    r8 000000b5  r9 00000034  sl 00000000  fp f05455a0
    ip f05e2e1c  sp f06f35c8  lr f05d8c9d  pc f71d77b4  cpsr 200b0010

backtrace:
    #00 pc 000177b4  /system/lib/libc.so (__memcpy_base+88)
    #01 pc 00003c99  /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
    #02 pc 00006a87  /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
    #03 pc 00024a93  /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
    #04 pc 00022aa9  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
    #05 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
    #06 pc 000d66db  /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
    #07 pc 000591e3  /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
    #08 pc 0008e329  /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
    #09 pc 00019931  /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
    #10 pc 0001eccb  /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
    #11 pc 0001ee35  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
    #12 pc 0001ee99  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
    #13 pc 00023909  /system/lib/libbinder.so
    #14 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
    #15 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
    #16 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42171.zip