Merge pull request #100 from Fuzion24/feature/cve_2015_6616

CVE-2015-6616
AndroidVTS · Dec 14, 2015 · 0927ac3 · 0927ac3
2 parents c18c168 + ca53370
commit 0927ac3
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 0 deletions.
diff --git a/app/src/main/assets/vuln_map.json b/app/src/main/assets/vuln_map.json
@@ -507,5 +507,29 @@
         "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872"
     ],
     "cvedate": "09/30/2015"
+  },
+  "CVE-2015-6616": {
+    "cve": "CVE-2015-6616",
+    "altnames": [
+          "ANDROID-24630158",
+          "ANDROID-23882800",
+          "ANDROID-17769851",
+          "ANDROID-24441553",
+          "ANDROID-24157524"
+    ],
+    "description": "Remote Code Execution Vulnerabilities in Mediaserver",
+    "impact": "During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process. The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.",
+    "external_links": [
+      "https://source.android.com/security/bulletin/2015-12-01.html"
+    ],
+    "cvssv2": 10,
+    "patch": [
+             "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151",
+             "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0d35dd2068d6422c3c77fb68f248cbabf3d0b10c",
+             "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dedaca6f04ac9f95fabe3b64d44cd1a2050f079e",
+             "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5d101298d8b0a78a1dc5bd26dbdada411f4ecd4d",
+             "https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005"
+    ],
+    "cvedate": "10/12/2015"
   }
 }
diff --git a/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java b/app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java
@@ -12,6 +12,7 @@
 import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.GraphicBufferTest;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6602;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6608;
+import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6616;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.StageFright;
 import fuzion24.device.vulnerability.vulnerabilities.framework.serialization.OpenSSLTransientBug;
 import fuzion24.device.vulnerability.vulnerabilities.framework.zip.ZipBug8219321;
@@ -53,6 +54,7 @@ public static List<VulnerabilityTest> getTests(Context ctx){
         allTests.add(new SamsungCREDzip());
         allTests.add(new CVE_2015_6608());
         allTests.add(new CVE20151528());
+        allTests.add(new CVE_2015_6616());
 
         List<VulnerabilityTest> filteredTest = new ArrayList<VulnerabilityTest>();
         String cpuArch1 = SystemUtils.propertyGet(ctx, "ro.product.cpu.abi");

diff --git a/...ain/java/fuzion24/device/vulnerability/vulnerabilities/framework/media/CVE_2015_6616.java b/...ain/java/fuzion24/device/vulnerability/vulnerabilities/framework/media/CVE_2015_6616.java
@@ -0,0 +1,76 @@
+package fuzion24.device.vulnerability.vulnerabilities.framework.media;
+
+import android.content.Context;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
+import fuzion24.device.vulnerability.vulnerabilities.helper.BinaryAssets;
+import fuzion24.device.vulnerability.vulnerabilities.helper.KMPMatch;
+
+/**
+ * Created by fuzion24 on 12/14/15.
+ */
+public class CVE_2015_6616  implements VulnerabilityTest {
+
+/*
+    CVE	Bug(s) with AOSP links	Severity	Affected versions	Date reported
+    CVE-2015-6616
+    ANDROID-24630158	Critical	6.0 and below	Google Internal
+    ANDROID-23882800	Critical	6.0 and below	Google Internal
+    ANDROID-17769851	Critical	5.1 and below	Google Internal
+    ANDROID-24441553	Critical	6.0 and below	Sep 22, 2015
+    ANDROID-24157524	Critical	6.0	Sep 08, 2015
+
+    ANDROID-24630158 https://android.googlesource.com/platform%2Fframeworks%2Fav/+/77c185d5499d6174e7a97b3e1512994d3a803151
+    ANDROID-23882800 https://android.googlesource.com/platform%2Fframeworks%2Fav/+/0d35dd2068d6422c3c77fb68f248cbabf3d0b10c
+    ANDROID-17769851 https://android.googlesource.com/platform%2Fframeworks%2Fav/+/dedaca6f04ac9f95fabe3b64d44cd1a2050f079e
+    ANDROID-24441553 https://android.googlesource.com/platform%2Fframeworks%2Fav/+/5d101298d8b0a78a1dc5bd26dbdada411f4ecd4d
+    ANDROID-24157524 https://android.googlesource.com/platform%2Fexternal%2Flibavc/+/2ee0c1bced131ffb06d1b430b08a202cd3a52005
+*/
+
+    @Override
+    public String getCVEorID() {
+        return "CVE-2015-6616";
+    }
+
+    @Override
+    public boolean isVulnerable(Context context) throws Exception {
+        File stagefrightlib = new File("/system/lib/libstagefright.so");
+        if(!stagefrightlib.exists() || !stagefrightlib.isFile()){
+            throw new Exception("libstagefright.so doesn't exist or is not a file");
+        }
+
+        ByteArrayOutputStream libStageFrightBAOS = new ByteArrayOutputStream((int)stagefrightlib.length());
+        BinaryAssets.copy(new FileInputStream(stagefrightlib), libStageFrightBAOS);
+        byte[] libstagefrightSO = libStageFrightBAOS.toByteArray();
+
+        KMPMatch binMatcher = new KMPMatch();
+
+        int indexOf = binMatcher.indexOf(libstagefrightSO, "b/24445127".getBytes());
+        boolean libstagefrightVulnerableToBug24445127 = indexOf == -1;
+
+        indexOf = binMatcher.indexOf(libstagefrightSO, "bogus max input size: %zu".getBytes());
+        boolean libstagefrightVulnerableToBug17769851 = indexOf == -1;
+
+        indexOf = binMatcher.indexOf(libstagefrightSO, "b/24441553, b/24445122".getBytes());
+        boolean libstagefrightVulnerableToBug24441553 = indexOf == -1;
+
+
+        return libstagefrightVulnerableToBug24445127 ||
+                libstagefrightVulnerableToBug17769851 ||
+                libstagefrightVulnerableToBug24441553;
+    }
+
+    @Override
+    public List<CPUArch> getSupportedArchitectures() {
+        List<CPUArch> archs = new ArrayList<>();
+        archs.add(CPUArch.ALL);
+        return archs;
+    }
+}