Android audio_policy app Local DoS

2015.03.17
Credit: Guang Gong
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2015-1525
CWE: CWE-20


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

############################################################################# # # QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/ # ############################################################################# # # CVE ID: CVE-2015-1525 # Product: Android # Vendor: Google # Subject: A local application could cause a denial-of-service to the audio_policy app # Effect: cause a denial of service # Author: Guang Gong # Date: March 13th 2015 # ############################################################################# Introduction ------------ Because of not checking null point in the AudioPolicyManagerBase::getDeviceConnectionState function in hardware/libhardware_legacy/audio/AudioPolicyManagerBase.cpp in Android below 5.0 allow attackers to cause a denial of service to the audio_policy app include mediaserver Affected Android version ---------- all versions below Lollipop 5.0 Patches ------- Android Bug id 18262893 https://android.googlesource.com/platform/hardware/libhardware_legacy/+/2d2ea50df16fc1a04f1ebf8772c65c56e4f5ecfa Description ----------- The vulnerable code is as follows. http://androidxref.com/4.4.4_r1/xref/hardware/libhardware_legacy/audio/AudioPolicyManagerBase.cpp#251 247AudioSystem::device_connection_state AudioPolicyManagerBase::getDeviceConnectionState(audio_devices_t device, 248 const char *device_address) 249{ 250 AudioSystem::device_connection_state state = AudioSystem::DEVICE_STATE_UNAVAILABLE; 251 String8 address = String8(device_address); ---------------------------------> should have checked if device_address is NULL 252 if (audio_is_output_device(device)) { 253 if (device & mAvailableOutputDevices) { 254 if (audio_is_a2dp_device(device) && 255 (!mHasA2dp || (address != "" && mA2dpDeviceAddress != address))) { 256 return state; 257 } Attack vector ------------- A local application could cause a denial-of-service to the audio_policy app include mediaserver the crash Log is as follows: 85320 --------- beginning of crash 85321 F/libc (18680): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 19486 (Binder_1) 85322 I/ (22751): fuzzing service:media.audio_policy 3:3 85323 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 85324 I/DEBUG ( 180): Build fingerprint: 'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys' 85325 I/DEBUG ( 180): Revision: '11' 85326 I/DEBUG ( 180): ABI: 'arm' 85327 I/DEBUG ( 180): pid: 18680, tid: 19486, name: Binder_1 >>> /system/bin/mediaserver <<< 85328 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 85329 W/NativeCrashListener(19346): Couldn't find ProcessRecord for pid 18680 85330 I/DEBUG ( 180): r0 00000000 r1 00000000 r2 00000000 r3 00000000 85331 E/DEBUG ( 180): AM write failure (32 / Broken pipe) 85332 I/DEBUG ( 180): r4 b4afdb0c r5 00000000 r6 b4afdb0c r7 00000002 85333 I/DEBUG ( 180): r8 b4afdc78 r9 55991c07 sl 000048f8 fp b4afddb0 85334 I/DEBUG ( 180): ip b6e2cf4c sp b4afdaf8 lr b6e25651 pc b6ee1dd0 cpsr 600e0030 85335 I/DEBUG ( 180): 85336 I/DEBUG ( 180): backtrace: 85337 I/DEBUG ( 180): #00 pc 00010dd0 /system/lib/libc.so (strlen+83) 85338 I/DEBUG ( 180): #01 pc 0000d64d /system/lib/libutils.so (android::String8::String8(char const*)+8) 85339 I/DEBUG ( 180): #02 pc 00009011 /system/lib/hw/audio_policy.default.so (android_audio_legacy::AudioPolicyManagerBase::getDeviceConnectionState(unsigned int, char const*)+12) 85340 I/DEBUG ( 180): #03 pc 0000dfed /system/lib/hw/audio_policy.default.so 85341 I/DEBUG ( 180): #04 pc 00023145 /system/lib/libaudioflinger.so 85342 I/DEBUG ( 180): #05 pc 00056301 /system/lib/libmedia.so (android::BnAudioPolicyService::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+1056) 85343 I/DEBUG ( 180): #06 pc 000167a5 /system/lib/libbinder.so (android::BBinder::transact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)+60) 85344 I/DEBUG ( 180): #07 pc 0001aea3 /system/lib/libbinder.so (android::IPCThreadState::executeCommand(int)+562) 85345 I/DEBUG ( 180): #08 pc 0001afbf /system/lib/libbinder.so (android::IPCThreadState::getAndExecuteCommand()+38) 85346 I/DEBUG ( 180): #09 pc 0001b001 /system/lib/libbinder.so (android::IPCThreadState::joinThreadPool(bool)+48) 85347 I/DEBUG ( 180): #10 pc 0001ee93 /system/lib/libbinder.so 85348 I/DEBUG ( 180): #11 pc 0000e97d /system/lib/libutils.so (android::Thread::_threadLoop(void*)+112) 85349 I/DEBUG ( 180): #12 pc 0000e505 /system/lib/libutils.so 85350 I/DEBUG ( 180): #13 pc 00013133 /system/lib/libc.so (__pthread_start(void*)+30) 85351 I/DEBUG ( 180): #14 pc 0001120b /system/lib/libc.so (__start_thread+6) Milestones ---------- Date Comment Sender 05/11/2014 Initial Report of CVE-2015-1525 Qihoo 07/11/2014 Sent the Android Bug ID 18262893 Google 27/01/2015 Sent the CVE-ID Google 13/3/2015 fixed in Lollipop 5.1, disclose it Qihoo

References:

https://android.googlesource.com/platform/hardware/libhardware_legacy/+/2d2ea50df16fc1a04f1ebf8772c65c56e4f5ecfa
http://androidxref.com/4.4.4_r1/xref/hardware/libhardware_legacy/audio/AudioPolicyManagerBase.cpp#251


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top