Merge pull request #61 from Fuzion24/feature/cve-2015-6608

Add check for cve-2015-6608

Author: Fuzion24

app/app.iml

@@ -90,7 +90,6 @@
       <excludeFolder url="file://$MODULE_DIR$/build/intermediates/rs" />
       <excludeFolder url="file://$MODULE_DIR$/build/intermediates/symbols" />
       <excludeFolder url="file://$MODULE_DIR$/build/outputs" />
-      <excludeFolder url="file://$MODULE_DIR$/build/tmp" />
     </content>
     <orderEntry type="jdk" jdkName="Android API 23 Platform" jdkType="Android SDK" />
     <orderEntry type="sourceFolder" forTests="false" />

app/src/main/assets/vuln_map.json

@@ -477,5 +477,30 @@
         "https://android.googlesource.com/platform/frameworks/av/+/6fe85f7e15203e48df2cc3e8e1c4bc6ad49dc968"
     ],
     "cvedate": "09/30/2015"
+  },
+  "CVE-2015-6608": {
+    "cve": "CVE-2015-6608",
+    "altnames": [
+      "Stagefright",
+      "ANDROID-19779574",
+      "ANDROID-23680780",
+      "ANDROID-23876444",
+      "ANDROID-23881715",
+      "ANDROID-14388161"
+    ],
+    "description": "During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.",
+    "impact": "The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media. This issue is rated as a Critical severity due to the possibility of remote code execution within the context of the mediaserver service. The mediaserver service has access to audio and video streams as well as access to privileges that third-party apps cannot normally access.",
+    "external_links": [
+      "https://groups.google.com/forum/#!topic/android-security-updates/GwZn7sixask"
+    ],
+    "cvssv2": 10,
+    "patch": [
+        "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/8ec845c8fe0f03bc57c901bc484541bdd6a7cf80",
+        "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/c6a2815eadfce62702d58b3fa3887f24c49e1864",
+        "https://android.googlesource.com/platform%2Fexternal%2Faac/+/b3c5a4bb8442ab3158fa1f52b790fadc64546f46",
+        "https://android.googlesource.com/platform%2Fexternal%2Ftremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd",
+        "https://android.googlesource.com/platform%2Fframeworks%2Fav/+/3878b990f7d53eae7c2cf9246b6ef2db5a049872"
+    ],
+    "cvedate": "09/30/2015"
   }
 }

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityOrganizer.java

@@ -11,6 +11,7 @@
 import fuzion24.device.vulnerability.util.CPUArch;
 import fuzion24.device.vulnerability.vulnerabilities.framework.graphics.GraphicBufferTest;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6602;
+import fuzion24.device.vulnerability.vulnerabilities.framework.media.CVE_2015_6608;
 import fuzion24.device.vulnerability.vulnerabilities.framework.media.StageFright;
 import fuzion24.device.vulnerability.vulnerabilities.framework.serialization.OpenSSLTransientBug;
 import fuzion24.device.vulnerability.vulnerabilities.framework.zip.ZipBug8219321;
@@ -48,11 +49,17 @@ public static List<VulnerabilityTest> getTests(Context ctx){
         allTests.add(new CVE_2015_3636());
         //tests.add(new ZergRush()); // Hide super old bugs?
         allTests.add(new SamsungCREDzip());
+        allTests.add(new CVE_2015_6608());
 
         List<VulnerabilityTest> filteredTest = new ArrayList<VulnerabilityTest>();
         String cpuArch1 = SystemUtils.propertyGet(ctx, "ro.product.cpu.abi");
         String cpuArch2 = SystemUtils.propertyGet(ctx, "ro.product.cpu.abi2");
 
+
+        /*
+            The logic here is:
+              The test must support every architecture that the device lists
+         */
         for(VulnerabilityTest vt : allTests){
 
             if(vt.getSupportedArchitectures() == null) {

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/framework/media/CVE_2015_6608.java

@@ -0,0 +1,119 @@
+package fuzion24.device.vulnerability.vulnerabilities.framework.media;
+
+import android.content.Context;
+import android.os.Build;
+import android.util.Log;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import fuzion24.device.vulnerability.util.CPUArch;
+import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest;
+import fuzion24.device.vulnerability.vulnerabilities.helper.BinaryAssets;
+import fuzion24.device.vulnerability.vulnerabilities.helper.KMPMatch;
+import fuzion24.device.vulnerability.vulnerabilities.helper.SystemUtils;
+
+/**
+ * Created by fuzion24 on 11/16/15.
+ */
+
+
+/*
+https://android.googlesource.com/platform/external/tremolo/+/3830d0b585ada64ee75dea6da267505b19c622fd%5E%21/#F1
+https://android.googlesource.com/platform/frameworks/av/+/c6a2815eadfce62702d58b3fa3887f24c49e1864%5E%21/#F0
+
+2|shell@flounder_lte:/ $ grep -F "b/23881715" /system/lib/libstagefright.so
+1|shell@flounder_lte:/ $ grep -F "b/23881715" /system/lib64/libstagefright.so
+*/
+
+
+
+public class CVE_2015_6608 implements VulnerabilityTest {
+
+    private static final String TAG = "CVE-2015-6608";
+
+    @Override
+    public String getCVEorID() {
+        return "CVE-2015-6608";
+    }
+
+    @Override
+    public boolean isVulnerable(Context context) throws Exception {
+        /*
+            The patch includes logging messages for when the vulnerable code paths are hit.
+            We can simply look for the inclusion of the strings in the libraries to determine
+            whether or not the device has a patched libstagefright.so
+         */
+
+        File stagefrightlib = new File("/system/lib/libstagefright.so");
+        File stagefrightlib64 = new File("/system/lib64/libstagefright.so");
+
+        File softAAClib = new File("/system/lib/libstagefright_soft_aacdec.so");
+
+        File libvorbisidec = new File("/system/lib/libvorbisidec.so");
+
+        if(!stagefrightlib.exists() || !stagefrightlib.isFile()){
+            throw new Exception("libstagefright.so doesn't exist or is not a file");
+        }
+
+        if(!softAAClib.exists()){
+            throw new Exception("libstagefright_soft_aacdec.so does not exist");
+        }
+
+        if(!libvorbisidec.exists()){
+            throw new Exception("libvorbisidec.so does not exist");
+        }
+
+
+        ByteArrayOutputStream libStageFrightBAOS = new ByteArrayOutputStream((int)stagefrightlib.length());
+        BinaryAssets.copy(new FileInputStream(stagefrightlib), libStageFrightBAOS);
+        byte[] libstagefrightSO = libStageFrightBAOS.toByteArray();
+
+
+        ByteArrayOutputStream libaacdecBAOS = new ByteArrayOutputStream((int)softAAClib.length());
+        BinaryAssets.copy(new FileInputStream(softAAClib), libaacdecBAOS);
+        byte[] libaacdecSO = libaacdecBAOS.toByteArray();
+
+        ByteArrayOutputStream libvorbisidecBAOS = new ByteArrayOutputStream((int)libvorbisidec.length());
+        BinaryAssets.copy(new FileInputStream(libvorbisidec), libvorbisidecBAOS);
+        byte[] libvorbisidecSO = libvorbisidecBAOS.toByteArray();
+
+
+
+        KMPMatch binMatcher = new KMPMatch();
+
+        int indexOf = binMatcher.indexOf(libstagefrightSO, "b/23680780".getBytes());
+        boolean libstagefrightVulnerableToBug23680780 = indexOf == -1;
+        indexOf = binMatcher.indexOf(libvorbisidecSO, "b/23881715".getBytes());
+        boolean libstagefrightvulnerableToBug23881715 = indexOf == -1;
+        indexOf = binMatcher.indexOf(libaacdecSO, "b/23876444".getBytes());
+        boolean libstagefrightVulnerableToBug23876444 = indexOf == -1;
+
+
+        Log.d(TAG, "libstagefrightVulnerableToBug23680780: " + libstagefrightVulnerableToBug23680780);
+        Log.d(TAG, "libstagefrightvulnerableToBug23881715: " + libstagefrightvulnerableToBug23881715);
+        Log.d(TAG, "libstagefrightVulnerableToBug23876444: " + libstagefrightVulnerableToBug23876444);
+
+        //Only affects L and M
+        if(Build.VERSION.SDK_INT != Build.VERSION_CODES.M && Build.VERSION.SDK_INT != Build.VERSION_CODES.LOLLIPOP){
+            return false;
+        }
+
+        return  libstagefrightVulnerableToBug23680780 ||
+                libstagefrightvulnerableToBug23881715 ||
+                libstagefrightVulnerableToBug23876444;
+
+    }
+
+    @Override
+    public List<CPUArch> getSupportedArchitectures() {
+        List<CPUArch> supportedArchs = new ArrayList<CPUArch>();
+        supportedArchs.add(CPUArch.ARM7);
+        supportedArchs.add(CPUArch.ARM8);
+        supportedArchs.add(CPUArch.X86);
+        return supportedArchs;
+    }
+}

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/helper/BinaryAssets.java

@@ -45,7 +45,7 @@ public static void extractAsset(Context ctx, String name, String destination, bo
     }
 
     private static final int BUFFER_SIZE = 2 * 1024 * 1024;
-    private static void copy(InputStream input, OutputStream output) throws IOException {
+    public static void copy(InputStream input, OutputStream output) throws IOException {
         try {
             byte[] buffer = new byte[BUFFER_SIZE];
             int bytesRead = input.read(buffer);

app/src/main/java/fuzion24/device/vulnerability/vulnerabilities/helper/KMPMatch.java

@@ -0,0 +1,48 @@
+package fuzion24.device.vulnerability.vulnerabilities.helper;
+/**
+ * Knuth-Morris-Pratt Algorithm for Pattern Matching
+ */
+public class KMPMatch {
+    /**
+     * Finds the first occurrence of the pattern in the text.
+     */
+    public int indexOf(byte[] data, byte[] pattern) {
+        int[] failure = computeFailure(pattern);
+
+        int j = 0;
+        if (data.length == 0) return -1;
+
+        for (int i = 0; i < data.length; i++) {
+            while (j > 0 && pattern[j] != data[i]) {
+                j = failure[j - 1];
+            }
+            if (pattern[j] == data[i]) { j++; }
+            if (j == pattern.length) {
+                return i - pattern.length + 1;
+            }
+        }
+        return -1;
+    }
+
+    /**
+     * Computes the failure function using a boot-strapping process,
+     * where the pattern is matched against itself.
+     */
+    private int[] computeFailure(byte[] pattern) {
+        int[] failure = new int[pattern.length];
+
+        int j = 0;
+        for (int i = 1; i < pattern.length; i++) {
+            while (j > 0 && pattern[j] != pattern[i]) {
+                j = failure[j - 1];
+            }
+            if (pattern[j] == pattern[i]) {
+                j++;
+            }
+            failure[i] = j;
+        }
+
+        return failure;
+    }
+}
+