Exploit Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
39425
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
ANDROID
CVE
N/A
Дата публикации
2016-02-08
Samsung Galaxy S6 - 'android.media.process' 'MdConvertLine' Face Recognition Memory Corruption
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=616

The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process

F/libc    ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG   ( 3021): Revision: '10'
I/DEBUG   ( 3021): ABI: 'arm64'
I/DEBUG   ( 3021): pid: 4134, tid: 12161, name: syncThread  >>> android.process.media <<<
I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG   ( 3021):     x0   3333333333333330  x1   0000007f714b6800  x2   000000000000001f  x3   3333333333333330
I/DEBUG   ( 3021):     x4   0000007f817fedb8  x5   0000007f7c1f4ea8  x6   0000007f7c1f4ec0  x7   0000007f7c109680
I/DEBUG   ( 3021):     x8   304b333333333333  x9   3033330333000000  x10  3333333333333333  x11  0103304b33333333
I/DEBUG   ( 3021):     x12  0000040033300311  x13  0300035033333333  x14  0300303333233333  x15  0000000000001484
I/DEBUG   ( 3021):     x16  0000007f74bfe828  x17  0000007f8c086008  x18  0000007f8c13b830  x19  0000007f7c279a00
I/DEBUG   ( 3021):     x20  0000000000000000  x21  0000007f7c1036a0  x22  0000007f817ff440  x23  0000007f7c279a10
I/DEBUG   ( 3021):     x24  0000000032d231a0  x25  0000000000000065  x26  0000000032d28880  x27  0000000000000065
I/DEBUG   ( 3021):     x28  0000000000000000  x29  0000007f817fecb0  x30  0000007f740be014
I/DEBUG   ( 3021):     sp   0000007f817fecb0  pc   0000007f740cefdc  pstate 0000000080000000
I/DEBUG   ( 3021): 
I/DEBUG   ( 3021): backtrace:
I/DEBUG   ( 3021):     #00 pc 0000000000065fdc  /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG   ( 3021):     #01 pc 0000000000055010  /system/lib64/libfacerecognition.so (MCC_Process+160)

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39425.zip
 
Источник
www.exploit-db.com

Похожие темы