cbcvebase.
CVE-2015-3864
published 2015-10-01

CVE-2015-3864: Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.13%
99.7th percentile
Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824.

Affected

2 ranges
VendorProductVersion rangeFixed in
googleandroid<= 5.1
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

filenamelibstagefright.so
urlhttps://github.com/NorthBit/Metaphor
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39640.zip
processmediaserver
pathMPEG4Extractor.cpp
commandmetaphor.py [-h] [-c CONFIG] -o OUTPUT {leak,rce,suicide}
  • Detect delivery of a specially crafted MP4 file served with gzip Content-Encoding targeting Android mediaserver; the exploit server sets Content-Type: video/mp4 and Content-Encoding: gzip for the malicious file.
  • Look for MP4 files containing two tx3g atoms whose combined sizes cause an integer overflow; the second tx3g atom will have a crafted negative/underflowed length field.
  • Monitor the Android mediaserver process for anomalous heap allocations or crashes; the exploit corrupts MetaData read by the browser from mediaserver to leak heap and vtable addresses.
  • Detect browser User-Agent strings matching Android 5.0/5.1 device builds (e.g., LRX21P, LRX22C, LMY47O, LMY48I) being served exploit MP4 content; the Metasploit module maps specific build strings to exploit targets.
  • The exploit uses pssh, avcC, hvcC, and tx3g MP4 atom types for heap grooming and overflow; anomalous combinations of these atoms in a single MP4 trak box are a strong indicator of exploitation.
  • The exploit page uses a JavaScript setTimeout reload loop (4000ms) to repeatedly attempt exploitation; detect HTML pages with this pattern serving MP4 video content.
  • The exploit targets a heap spray address of 0xb3000000 and mmap address of 0x90000000 on ARM; memory forensics or crash dumps showing RIP/PC near these addresses indicate active exploitation.
  • ·The Metasploit exploit only yields a shell on devices without SELinux or with SELinux in permissive mode; devices with enforcing SELinux (e.g., Nexus) block execve from the mediaserver process.
  • ·The vulnerability exists because of an incomplete fix for CVE-2015-3824; patches for CVE-2015-3824 alone are insufficient to remediate this issue.
  • ·The exploit is architecture-specific (ARM LE); x86, x86_64, and MIPS targets are noted as TODO in the Metasploit module.
  • ·The Metaphor PoC includes lookup tables only for Nexus 5 Build LRX22C with Android 5.0.1; other targets require separate ROP chain development.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.