ID ANDROID:CVE-2015-6609 Type android Reporter androidvulnerabilities.org Modified 2019-07-29T00:00:00
Description
libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.
{"id": "ANDROID:CVE-2015-6609", "bulletinFamily": "software", "title": "CVE-2015-6609", "description": "libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.", "published": "2015-11-01T00:00:00", "modified": "2019-07-29T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://www.androidvulnerabilities.org/vulnerabilities/CVE-2015-6609.html", "reporter": "androidvulnerabilities.org", "references": ["https://nvd.nist.gov/vuln/data-feeds", "https://source.android.com/security/bulletin/2015-11-01.html", "https://android.googlesource.com/platform%2Fsystem%2Fcore/+/419e6c3c68413bd6dbb6872340b2ae0d69a0fd60", "https://android.googlesource.com/platform%2Fbootable%2Frecovery/+/ec63d564a86ad5b30f75aa307b4bd271f6a96a56"], "cvelist": ["CVE-2015-6609"], "type": "android", "lastseen": "2020-12-24T13:21:16", "edition": 2, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-6609"]}, {"type": "threatpost", "idList": ["THREATPOST:287ED4CF87596AFB4463B257DD4C694F"]}], "modified": "2020-12-24T13:21:16", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-12-24T13:21:16", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": [{"name": "android", "operator": "le", "version": "6.0"}], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T20:03:06", "description": "libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.", "edition": 5, "cvss3": {}, "published": "2015-11-03T11:59:00", "title": "CVE-2015-6609", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-6609"], "modified": "2016-12-07T18:20:00", "cpe": ["cpe:/o:google:android:5.1.0"], "id": "CVE-2015-6609", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6609", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2018-10-06T22:56:05", "bulletinFamily": "info", "cvelist": ["CVE-2015-3875", "CVE-2015-6608", "CVE-2015-6609", "CVE-2015-6610", "CVE-2015-6611", "CVE-2015-6612", "CVE-2015-6613", "CVE-2015-6614"], "description": "The [Stagefright vulnerabilities](<https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960/>) are the gifts that keep on giving.\n\nMonths after the potentially devastating security flaws in the mobile OS were publicly disclosed, Google continues to send out patches addressing vulnerabilities related to the initial reports.\n\nToday\u2019s monthly [Android security bulletin](<https://groups.google.com/forum/#!forum/android-security-updates>), the fourth since Google announced at Black Hat this summer it would begin regular patch updates, includes a fix for another flaw in the Stagefright media playback engine, one in libutils where the [Stagefright 2.0 vulnerabilities](<https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/>) were found, and two in Android Mediaserver where all the vulnerable code runs.\n\nThe over-the-air update was released today to Google\u2019s Nexus devices and will be added to the Android Open Source Project (AOSP) repository in the next two days; Google partners including Samsung were provided the patches on Oct. 5, Google said, adding that the vulnerabilities are patched in Build LMY48X or later, or in Android Marshmallow with a patch level of Nov. 1.\n\nGoogle rated one of the Mediaserver vulnerabilities, CVE-2015-6608, as critical, as it did the libutils flaw, CVE-2015-6609; both allow for remote code execution if exploited.\n\nMediaserver is a core part of the Android OS and a number of applications that accept remote contact interact with it, Google said, pointing to MMS messaging and media playback via the browser as two examples.\n\n\u201cDuring media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,\u201d Google said in its advisory. \u201cThis issue is rated as a critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.\u201d\n\nThe libutils vulnerability, meanwhile, leads to memory corruption that an attacker could exploit to run code remotely.\n\n\u201cThe affected functionality is provided as an API and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media,\u201d Google said in its advisory. \u201cThis issue is rated as a critical severity issue due to the possibility of remote code execution in a privileged service. The affected component has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.\u201d\n\nGoogle said it\u2019s unaware of public exploits of any of these vulnerabilities.\n\nGoogle also said that the critical Mediaserver vulnerability was discovered internally by Abhishek Arya, Oliver Chang and Martin Barbella of the Chrome Security Team, while the libutils flaw was privately reported Aug. 3 by Daniel Micay of Copperhead Security.\n\nMicay told Threatpost he reported in August three vulnerabilities in libutils, two of which lead to code execution are exposed via libstagefright, he said, adding that one, CVE-2015-3875, was already patched in October.\n\n\u201cA libstagefright vulnerability (including one inherited from libutils due to the fact that it uses it) can give an attack remote code execution in the mediaserver process that uses libstagefright. The attack vectors range from media in web pages (browser), media via texts (MMS), downloaded media files (mediaserver automatically scans/analyzes all media files in Android\u2019s shared storage area),\u201d Micay said. \u201cThe libutils vulns are more serious because they can also expose vulnerabilities in other areas, such as a way for the attacker to escalate from a compromise of the mediaserver process to root (by attacking system_server, etc.).\u201d\n\nThe remaining Mediaserver vulnerability, CVE-2015-6611, is an information disclosure bug that is rated High by Google. Google also patched three elevation of privilege vulnerabilities in libstagefright (CVE-2015-6610), libmedia (CVE-2015-6612), and Bluetooth (CVE-2015-6613), all of which it rated High. The remaining bug, CVE-2015-6614, is an elevation of privilege flaw in Telephony.\n\nThe Stagefright vulnerability was privately reported Aug. 19 by Seven Shen of Trend Micro. A local malicious app, Google said, causes memory corruption and paves the way for code execution within Mediaserver; Google said there is a lower likelihood it can be exploited remotely.\n\nThe original Stagefright bugs were disclosed by researcher Joshua Drake of Zimperium and was believed to affected more than 950 million Android devices. A second set of vulnerabilities in Stagefright, patched last month affected more than 1 billion devices. Stagefright 2.0, as it was labeled, posed similar risks as the first Stagefright bugs, which were exploited via specially crafted MMS messages that were at the time automatically processed by Stagefright. The [Stagefright 2.0 flaws](<https://threatpost.com/google-pushes-stagefright-2-0-patches-to-nexus-devices/114923/>) are exploitable instead via the mobile browser, for example, where a victim is sent a link to a URL hosting the exploit, or via a man-in-the-middle attack. Like the first set of attacks, Stagefright 2.0 exploits are a way onto the phone. Stagefright is granted some system-level privileges, giving the attacker the opportunity to elevate their privileges with additional attacks in order to control the device.\n", "modified": "2015-11-05T17:17:23", "published": "2015-11-02T15:10:38", "id": "THREATPOST:287ED4CF87596AFB4463B257DD4C694F", "href": "https://threatpost.com/monthly-android-security-update-patches-more-stagefright-vulnerabilities/115220/", "type": "threatpost", "title": "November 2015 Android Security Bulletin", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
