Another flaw found in Android's mediaserver component

Aug 24, 2015 09:42 GMT  ·  By

A Trend Micro researcher has found, disclosed and helped Google patch a vulnerability in Google's Android mobile operating system.

The vulnerability affects the very same mediaserver component responsible for the Stagefright bug, along with a later vulnerability that left Android devices continuously crashing in an endless loop.

The bug (CVE-2015-3842, ANDROID-21953516) is a heap overflow in the mediaserver's Audio Policy Service, which allows local APKs (Android apps) to execute arbitrary code against the operating system's mediaserver process with the same privileges as the mediaserver itself (system level).

As Wish Wu, the Trend Micro employee who discovered the vulnerability, explains, the vulnerability "involves AudioEffect, a component of the mediaserver program" and for "attackers [to] convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security."

This app can leverage the mediaserver AudioEffect vulnerability, that uses "an unchecked variable which comes from the client, which is usually an app," the malicious app in this scenario.

The unchecked variable can cause a heap overflow in the mediaserver component, and can be triggered whenever the malicious app is run.

No attacks were detected using this vulnerability

By leveraging this vulnerability, attackers can gain "access to audio and video streams as well as access to privileged kernel driver device nodes on many devices that 3rd party apps cannot normally access," Android devs explain.

This security issue affects Android versions 2.3 up to 5.1.1 and has already been fixed. As the Google team points out, the vulnerability cannot be exploited remotely, and Trend Micro also observes no active attacks using their latest finding.

Additionally, Wish Wu is the first security researcher to receive compensation through the Android Security Rewards program. Since he disclosed, provided proof of concept data and a patch, he is eligible to receive $4,000 / €3,500.