Home / vulnerabilities Google Android Denial Of Service
Posted on 17 March 2015
Source : packetstormsecurity.org Link
#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1525
# Product: Android
# Vendor: Google
# Subject: A local application could cause a denial-of-service to the
audio_policy app
# Effect: cause a denial of service
# Author: Guang Gong
# Date: March 13th 2015
#
#############################################################################
Introduction
------------
Because of not checking null point in the
AudioPolicyManagerBase::getDeviceConnectionState function in
hardware/libhardware_legacy/audio/AudioPolicyManagerBase.cpp in Android
below 5.0 allow attackers to cause a denial of service to the audio_policy
app include mediaserver
Affected Android version
----------
all versions below Lollipop 5.0
Patches
-------
Android Bug id 18262893
https://android.googlesource.com/platform/hardware/libhardware_legacy/+/2d2ea50df16fc1a04f1ebf8772c65c56e4f5ecfa
Description
-----------
The vulnerable code is as follows.
http://androidxref.com/4.4.4_r1/xref/hardware/libhardware_legacy/audio/AudioPolicyManagerBase.cpp#251
247AudioSystem::device_connection_state
AudioPolicyManagerBase::getDeviceConnectionState(audio_devices_t device,
248 const char
*device_address)
249{
250 AudioSystem::device_connection_state state =
AudioSystem::DEVICE_STATE_UNAVAILABLE;
251 String8 address = String8(device_address);
--------------------------------->
should have checked if device_address is NULL
252 if (audio_is_output_device(device)) {
253 if (device & mAvailableOutputDevices) {
254 if (audio_is_a2dp_device(device) &&
255 (!mHasA2dp || (address != "" && mA2dpDeviceAddress !=
address))) {
256 return state;
257 }
Attack vector
-------------
A local application could cause a denial-of-service to the audio_policy app
include mediaserver
the crash Log is as follows:
85320 --------- beginning of crash
85321 F/libc (18680): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0
in tid 19486 (Binder_1)
85322 I/ (22751): fuzzing service:media.audio_policy 3:3
85323 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** ***
*** *** *** ***
85324 I/DEBUG ( 180): Build fingerprint:
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
85325 I/DEBUG ( 180): Revision: '11'
85326 I/DEBUG ( 180): ABI: 'arm'
85327 I/DEBUG ( 180): pid: 18680, tid: 19486, name: Binder_1 >>>
/system/bin/mediaserver <<<
85328 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
addr 0x0
85329 W/NativeCrashListener(19346): Couldn't find ProcessRecord for pid
18680
85330 I/DEBUG ( 180): r0 00000000 r1 00000000 r2 00000000 r3
00000000
85331 E/DEBUG ( 180): AM write failure (32 / Broken pipe)
85332 I/DEBUG ( 180): r4 b4afdb0c r5 00000000 r6 b4afdb0c r7
00000002
85333 I/DEBUG ( 180): r8 b4afdc78 r9 55991c07 sl 000048f8 fp
b4afddb0
85334 I/DEBUG ( 180): ip b6e2cf4c sp b4afdaf8 lr b6e25651 pc
b6ee1dd0 cpsr 600e0030
85335 I/DEBUG ( 180):
85336 I/DEBUG ( 180): backtrace:
85337 I/DEBUG ( 180): #00 pc 00010dd0 /system/lib/libc.so
(strlen+83)
85338 I/DEBUG ( 180): #01 pc 0000d64d /system/lib/libutils.so
(android::String8::String8(char const*)+8)
85339 I/DEBUG ( 180): #02 pc 00009011 /system/lib/hw/
audio_policy.default.so
(android_audio_legacy::AudioPolicyManagerBase::getDeviceConnectionState(unsigned
int, char const*)+12)
85340 I/DEBUG ( 180): #03 pc 0000dfed /system/lib/hw/
audio_policy.default.so
85341 I/DEBUG ( 180): #04 pc 00023145 /system/lib/libaudioflinger.so
85342 I/DEBUG ( 180): #05 pc 00056301 /system/lib/libmedia.so
(android::BnAudioPolicyService::onTransact(unsigned int, android::Parcel
const&, android::Parcel*, unsigned int)+1056)
85343 I/DEBUG ( 180): #06 pc 000167a5 /system/lib/libbinder.so
(android::BBinder::transact(unsigned int, android::Parcel const&,
android::Parcel*, unsigned int)+60)
85344 I/DEBUG ( 180): #07 pc 0001aea3 /system/lib/libbinder.so
(android::IPCThreadState::executeCommand(int)+562)
85345 I/DEBUG ( 180): #08 pc 0001afbf /system/lib/libbinder.so
(android::IPCThreadState::getAndExecuteCommand()+38)
85346 I/DEBUG ( 180): #09 pc 0001b001 /system/lib/libbinder.so
(android::IPCThreadState::joinThreadPool(bool)+48)
85347 I/DEBUG ( 180): #10 pc 0001ee93 /system/lib/libbinder.so
85348 I/DEBUG ( 180): #11 pc 0000e97d /system/lib/libutils.so
(android::Thread::_threadLoop(void*)+112)
85349 I/DEBUG ( 180): #12 pc 0000e505 /system/lib/libutils.so
85350 I/DEBUG ( 180): #13 pc 00013133 /system/lib/libc.so
(__pthread_start(void*)+30)
85351 I/DEBUG ( 180): #14 pc 0001120b /system/lib/libc.so
(__start_thread+6)
Milestones
----------
Date Comment Sender
05/11/2014 Initial Report of CVE-2015-1525 Qihoo
07/11/2014 Sent the Android Bug ID 18262893 Google
27/01/2015 Sent the CVE-ID Google
13/3/2015 fixed in Lollipop 5.1, disclose it Qihoo