14 DAY TRIAL // The release of Android 5.1 integrates two security fixes that can grant an attacker elevated privileges on the device or lead to a denial-of-service condition.
Both vulnerabilities are integer overflows and affect all versions of Android earlier than 5.1, according to the researcher that discovered and disclosed them responsibly to Google.
Proof of concept published
Guang Gong from Chinese antivirus vendor Qihoo 360 found that an integer overflow glitch (CVE-2015-1530) in the mobile operating system’s media component could be exploited by an attacker to trigger heap corruption in the Media Server process using a regular application.
The result can be either privilege escalation or terminating the activity of the device through different vectors that initiate a high number of count values. The researcher created a proof-of-concept that demonstrates the issue and published it on Full Disclosure security mailing list archive.
This bug was reported to Google in early November 2014 and an internal fix for it was created on November 8, 2014. The full patch has been integrated in the recently released Lollipop 5.1.
Second flaw needed a double patch
The other glitch (CVE-2015-1474) is the same as the previous one and has the same consequences if exploited successfully, but it touches on Android’s “unflatten” function in the GraphicBuffer wrapper.
“Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values,” explains Gong.
The heap corruption in this case would involve SurfaceFlinger (allocates a frame buffer for drawing app windows) and Android’s core System Server process.
The severity score for this vulnerability has been calculated to be 10, the highest, as per the Common Vulnerability Scoring System (CVVS) standard because an attack can be carried out remotely and authentication is not required.
By increasing privileges on the device, a third party could ultimately extract information (contact list, payment card data, messages, media files), as well as make unauthorized modifications.
The bug was disclosed to Google on October 20, 2014, and it was classified by the vendor as a high severity vulnerability later that year, on November 4.
Repairing the flaw required Google to issue two patches, since the Qihoo security researcher reported that the first one was incomplete. The second fix is currently available in Android 5.1.
Gong’s findings earned him a lonely spot on the Android Security Acknowledgements list for 2015. It is unclear if he received a monetary reward for his efforts.