cbcvebase.
CVE-2015-1538
published 2015-10-01

CVE-2015-1538: Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
99.06%
99.9th percentile
Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.

Affected

5 ranges
VendorProductVersion rangeFixed in
googleandroid<= 5.1
googleandroid
mozillafirefox<= 37.0.2
mozillafirefox>= 0 < 40.0+build4-0ubuntu0.14.04.440.0+build4-0ubuntu0.14.04.4
oraclesolaris

Detection & IOCsextracted from sources · hover to see the quote

path/system/bin/sh
bytes
stsc|00 00 00 00 C0 00 00 03|
bytes
|00 00 00 18 66 74 79 70|mp4
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,to_client; file.data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P.{4})(?P.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:3; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,to_client; file.data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:4; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_14;)
  • The exploit uses a heap spray via large 'tx3g' and 'covr'/'ilst' metadata chunks to position a fake StrongPointer object at a predictable address; detect MP4 files with anomalously large or numerous metadata atoms (covr, ilst, etc.).
  • The ROP pivot targets address 0xb0002850 (__dl_restore_core_regs) in the Android dynamic linker; this fixed address is specific to the 'takju @ imm76i' build and can be used as a versioned indicator.
  • The Snort/ET rule for the STSC variant uses a PCRE to detect repeated address patterns in the stsc overflow payload, matching the ROP spray structure: /^(?P.{4})(?P.{4})(?P=addr2)(?P=addr1)/Rsi
  • ·The vulnerability affects Android AOSP 5.1 and below; systems running later versions are not affected by this specific CVE.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.