CVE-2015-3864

Vulnerability

An integer underflow vulnerability exists in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp within libstagefright of Android's mediaserver [4]. This issue affects Android versions before 5.1.1 LMY48M, where the chunk_size field is a uint64_t that can legitimately exceed SIZE_MAX, causing an underflow in a subtraction operation [4]. The vulnerability is a direct result of an incomplete fix for CVE-2015-3824 [4]. Affected versions include Android 5.0 through 5.1.1 prior to LMY48M [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious MPEG-4 file with a specially designed tx3g atom that causes an integer overflow when summing atom sizes, leading to insufficient buffer allocation and subsequent heap overflow [1][2]. The attack can be delivered remotely via an HTML5-compliant browser, without requiring user interaction beyond viewing the page [1]. The Metasploit module demonstrates a two-stage information leak technique to bypass ASLR by corrupting MetaData read by mediaserver, leaking heap addresses via video element properties [1].

Impact

Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the mediaserver process, which runs as media user [1][2]. This can lead to complete compromise of the affected device's media capabilities and potential escalation to other services. The attack achieves arbitrary code execution with no authentication required [1].

Mitigation

The vulnerability was fixed in Android 5.1.1 LMY48M, released on 2015-10-01, with commit 6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968 [4]. The fix explicitly handles the case where chunk_size is greater than SIZE_MAX to prevent underflow [4]. Users should update to Android 5.1.1 LMY48M or later. No other workarounds are available for unpatched devices.