CVE-2015-3842 – A new critical flaw threatens Android users

Pierluigi Paganini August 19, 2015

CVE-2015-3842 is a new flaw affecting the Android mediaserver, which can be exploited to perform attacks involving arbitrary code execution.

The problems for Android users continue, a long serie of vulnerabilities has been discovered by the experts in the last weeks, Stagefright, zero-day zero-day deserialization, and Certifi-Gate are the names of some of the flaw recently found.

Unfortunately, a new vulnerability (CVE-2015-3842) was discovered by security experts at Trend Micro that once again identified a flaw in the Android’s media server component. The new vulnerability could be exploited remotely to install malicious code on the target device just by sending a specially crafted multimedia message.

The CVE-2015-3842 vulnerability affects all the versions of Android devices including the Android 5.1.1 Lollipop, hundreds of Millions of Android mobile devices are exposed to cyber attacks.

Google has already patched this new issue affecting the media server component called AudioEffect. The attack exploits an unchecked variable that comes from the client, usually a mobile app.

“The vulnerability involves AudioEffect, a component of the mediaserver program. It uses an unchecked variable which comes from the client, which is usually an app. For an attack to begin, attackers convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security.” states the blog post published by TrendMicro.

The experts at Trend Micro explained that in order to exploit the Android CVE-2015-3842 vulnerability the attacker have to convince the victim to install a malicious app that does not ask for “any required permissions, giving them a false sense of security.”

The attacker can trigger a buffer heap overflow due to the lack of checks for the buffer pReplyData and pCmdData.

“The checking of the buffer sizes of pReplyData and pCmdData is not correct. The buffer sizes of both pReplyDataand pCmdData and the buffer pCmdData itself all come from client-supplied parameters. As the mediaserver component uses these buffers, it reads a size coming from the buffer pCmdData; the mediaserver component assumes the buffer sizes of pReplyData and pCmdData are bigger than this size. We can make the buffer size ofpReplyData, which is client-supplied, smaller than the size read from the buffer pCmdData. This causes a heap overflow.” continues the post.

The researchers have released a proof-of-concept (PoC) mobile app that exploits the Android CVE-2015-3842 vulnerability. The app works fine on a Nexus 6 handset running Android 5.1.1 Build LMY47Z.

CVE-2015-3842 poc android

Once installed the malicious app on the device, the app crashes the Android mediaserver component by triggering the heap overflow for the pReplyData buffer. In case the mediaserver component does not crash, the POC app will be closed and run again.

Google has already fixed the Android CVE-2015-3842 vulnerability, but it is necessary that device manufacturers and carriers will push the fix to end-users, and this process could take time.

At the time I’m writing there is no news attacks exploiting the flaw in the wild, but researchers warn the mobile industry on the risks for unpatched systems.

Pierluigi Paganini

(Security Affairs – CVE-2015-3842, Android)



you might also like

leave a comment