CVE-2015-1538
published 2015-10-01CVE-2015-1538: Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
99.06%
99.9th percentile
Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | <= 5.1 | — | |
| android | — | — | |
| mozilla | firefox | <= 37.0.2 | — |
| mozilla | firefox | >= 0 < 40.0+build4-0ubuntu0.14.04.4 | 40.0+build4-0ubuntu0.14.04.4 |
| oracle | solaris | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/system/bin/sh
bytes
stsc|00 00 00 00 C0 00 00 03|
bytes
|00 00 00 18 66 74 79 70|mp4
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,to_client; file.data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P.{4})(?P.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:3; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,to_client; file.data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:4; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
- →The exploit uses a heap spray via large 'tx3g' and 'covr'/'ilst' metadata chunks to position a fake StrongPointer object at a predictable address; detect MP4 files with anomalously large or numerous metadata atoms (covr, ilst, etc.). ↗
- →The ROP pivot targets address 0xb0002850 (__dl_restore_core_regs) in the Android dynamic linker; this fixed address is specific to the 'takju @ imm76i' build and can be used as a versioned indicator. ↗
- →The Snort/ET rule for the STSC variant uses a PCRE to detect repeated address patterns in the stsc overflow payload, matching the ROP spray structure: /^(?P.{4})(?P.{4})(?P=addr2)(?P=addr1)/Rsi
- ·The vulnerability affects Android AOSP 5.1 and below; systems running later versions are not affected by this specific CVE. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Mozilla: Integer overflows in libstagefright while processing MP4 video metadata (MFSA 2015-93)
vendor_redhat·2015-08-12·CVSS 10.0
CVE-2015-4496 [CRITICAL] CWE-190 Mozilla: Integer overflows in libstagefright while processing MP4 video metadata (MFSA 2015-93)
Mozilla: Integer overflows in libstagefright while processing MP4 video metadata (MFSA 2015-93)
Multiple integer overflows in libstagefright in Mozilla Firefox before 38.0 allow remote attackers to execute arbitrary code via crafted sample metadata in an MPEG-4 video file, a related issue to CVE-2015-1538.
Android
CVE-2015-1538: Android Security Bulletin 2015-08-01
CVE: CVE-2015-1538
Severity: CRITICAL
Affected AOSP versions: 5
vendor_android·2015-08-01·CVSS 10.0
CVE-2015-1538 [CRITICAL] CVE-2015-1538: Android Security Bulletin 2015-08-01
CVE: CVE-2015-1538
Severity: CRITICAL
Affected AOSP versions: 5
Android Security Bulletin 2015-08-01
CVE: CVE-2015-1538
Severity: CRITICAL
Affected AOSP versions: 5.1 and below
GHSA
GHSA-grmx-f2j7-2qwf: Multiple integer overflows in libstagefright in Mozilla Firefox before 38
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2015-4496 [CRITICAL] GHSA-grmx-f2j7-2qwf: Multiple integer overflows in libstagefright in Mozilla Firefox before 38
Multiple integer overflows in libstagefright in Mozilla Firefox before 38.0 allow remote attackers to execute arbitrary code via crafted sample metadata in an MPEG-4 video file, a related issue to CVE-2015-1538.
GHSA
GHSA-jwjv-jgw7-mgm2: SampleTable
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2015-6575 [CRITICAL] GHSA-jwjv-jgw7-mgm2: SampleTable
SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly consider integer promotion, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted atoms in MP4 data, aka internal bug 20139950, a different vulnerability than CVE-2015-1538. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-7915, CVE-2014-7916, and/or CVE-2014-7917.
GHSA
GHSA-9662-qxrh-f9g6: Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2015-1538 [CRITICAL] GHSA-9662-qxrh-f9g6: Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable
Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.
OSV
CVE-2015-4496: Multiple integer overflows in libstagefright in Mozilla Firefox before 38
osv·2015-08-16·CVSS 10.0
CVE-2015-4496 [CRITICAL] CVE-2015-4496: Multiple integer overflows in libstagefright in Mozilla Firefox before 38
Multiple integer overflows in libstagefright in Mozilla Firefox before 38.0 allow remote attackers to execute arbitrary code via crafted sample metadata in an MPEG-4 video file, a related issue to CVE-2015-1538.
Suricata
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC
suricata·2015-09-10·CVSS 10.0
CVE-2015-1538 [CRITICAL] ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,to_client; file.data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P.{4})(?P.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:3; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell
suricata·2015-09-10·CVSS 10.0
CVE-2015-1538 [CRITICAL] ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,to_client; file.data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:4; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Suricata
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP
suricata·2015-09-10·CVSS 10.0
CVE-2015-1538 [CRITICAL] ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP
ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,to_client; file.data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:3; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
Recorded Future
Stagefright Exploits Hit the Web | Recorded Future
blogs_recorded_future·CVSS 10.0
[CRITICAL] Stagefright Exploits Hit the Web | Recorded Future
## Stagefright Exploits Hit the Web
Exploits and proof of concepts (POCs) are appearing on the Web for Stagefright, hyped as the "Mother of all Android vulnerabilities" capable of gaining remote code execution privileges via a malicious MMS (e.g., a picture message). This collection of 10 vulnerabilities reportedly impacts 95% of all Android devices - over 900 million phones.
Recorded Future has identified shared exploits and POCs appearing on the Web 10 days after the July 21 announcement by Zimperium zLabs researcher Joshua Drake.
## Click image for larger view
The first known publicly available POC appeared on Chinese language forum heishou.com.cn on July 31 and was subsequently shared on Twitter and reposted on other forums.
Packaged exploits for use by lower skilled cyber crimina
Recorded Future
Stagefright Exploits Hit the Web
blogs_recorded_future·CVSS 10.0
[CRITICAL] Stagefright Exploits Hit the Web
# Stagefright Exploits Hit the Web
Exploits and proof of concepts (POCs) are appearing on the Web for Stagefright, hyped as the "Mother of all Android vulnerabilities" capable of gaining remote code execution privileges via a malicious MMS (e.g., a picture message). This collection of 10 vulnerabilities reportedly impacts 95% of all Android devices - over 900 million phones.
Recorded Future has identified shared exploits and POCs appearing on the Web 10 days after the July 21 announcement by Zimperium zLabs researcher Joshua Drake.
###### Click image for larger view
The first known publicly available POC appeared on Chinese language forum heishou.com.cn on July 31 and was subsequently shared on Twitter and reposted on other forums.
Packaged exploits for use by lower skilled cyber crim
arXiv
Software Vulnerability Analysis Using CPE and CVE
arxiv_fulltext·2017-05-15
Software Vulnerability Analysis Using CPE and CVE
frontmatter
Software Vulnerability Analysis Using CPE and CVE
Luis Alberto Benthin Sanguino
[email protected]
Rafael Uetz
[email protected]
Fraunhofer FKIE, Bonn, Germany
## Abstract
In this paper, we analyze the Common Platform Enumeration (CPE) dictionary and the Common Vulnerabilities and Exposures (CVE) feeds. These repositories are widely used in Vulnerability Management Systems (VMSs) to check for known vulnerabilities in software products. The analysis shows, among other issues, a lack of synchronization between both datasets that can lead to incorrect results output by VMSs relying on those datasets. To deal with these problems, we developed a method that recommends to a user a prioritized list of CPE identifiers for a given software product. The user can then as
arXiv
An Empirical Study on Android-related Vulnerabilities
arxiv_fulltext·2017-04-11
An Empirical Study on Android-related Vulnerabilities
An Empirical Study on\ -related Vulnerabilities
Mario Linares-V\'asquez^1, Gabriele Bavota^2, Camilo Escobar-Vel\'asquez^1
^1 Systems and Computing Engineering Department, Universidad de los Andes, Bogot\'a, Colombia
^2 Faculty of Informatics, Universita della Svizzera Italiana, Lugano, Switzerland
[email protected], [email protected], [email protected]
## Abstract
Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the software-vulnerabilities landscape. Several studies investigated the software-vulnerabilities ph
http://packetstormsecurity.com/files/134131/Libstagefright-Integer-Overflow-Check-Bypass.htmlhttp://www.huawei.com/en/psirt/security-advisories/hw-448928http://www.securityfocus.com/bid/76052http://www.securitytracker.com/id/1033094http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-448928.htmhttps://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398https://groups.google.com/forum/message/raw?msg=android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJhttps://www.exploit-db.com/exploits/38124/http://packetstormsecurity.com/files/134131/Libstagefright-Integer-Overflow-Check-Bypass.htmlhttp://www.huawei.com/en/psirt/security-advisories/hw-448928http://www.securityfocus.com/bid/76052http://www.securitytracker.com/id/1033094http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-448928.htmhttps://android.googlesource.com/platform/frameworks/av/+/2434839bbd168469f80dd9a22f1328bc81046398https://groups.google.com/forum/message/raw?msg=android-security-updates/Ugvu3fi6RQM/yzJvoTVrIQAJhttps://www.exploit-db.com/exploits/38124/
2015-10-01
Published