Vulners
Lucene search
WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM Exploit
| Reporter | Title | Published | Views | Family All 50 |
|---|---|---|---|---|
 | Android ashmem Read-Only Bypasses Exploit | 10 Jan 202000:00 | – | zdt |
| Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN Exploit | 15 Jan 202000:00 | – | zdt |
 | Android Security Bulletin—January 2020Stay organized with collectionsSave and categorize content based on your preferences. | 6 Jan 202000:00 | – | androidsecurity |
| Pixel Update Bulletin—January 2020Stay organized with collectionsSave and categorize content based on your preferences. | 6 Jan 202000:00 | – | androidsecurity |
 | CVE-2020-0009 | 14 Jan 202000:00 | – | circl |
 | Google Android Kernel Component Elevation of Privilege Vulnerability (CNVD-2020-02990) | 7 Jan 202000:00 | – | cnvd |
 | CVE-2020-0009 | 8 Jan 202015:31 | – | cve |
 | CVE-2020-0009 | 8 Jan 202015:31 | – | cvelist |
 | [SECURITY] [DLA 2241-1] linux security update | 9 Jun 202021:29 | – | debian |
| [SECURITY] [DLA 2241-2] linux security update | 10 Jun 202010:55 | – | debian |
10
There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
To reproduce the bug:
1) install and run frida on the caller Android device and a desktop host (https://www.frida.re)
2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists
3) run "setenforce 0" on the caller device
4) extract replay.py and replay.js into the same directory on a desktop host and run:
python3 replay.py DEVICENAME
Wait for the word "READY" to display.
If you don't know your device name, you can list device names by running:
python3 replay.py
5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds.
A crash log is attached.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47920.zip
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2020 00:00Current
0.1Low risk
Vulners AI Score0.1
CVSS 22.1
CVSS 3.15.5
EPSS0.00687