Rule Category

OS-MOBILE -- Snort has detected traffic targeting vulnerabilities in a mobile-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-MOBILE Android Stagefright MP4 buffer overflow attempt

Rule Explanation

This event is generated when an attacker attempts to exploit a memory corruption vulnerability in Android Stagefright. Impact: Attempted Administrator Privilege Gain Details: This rule checks for attempts to exploit a memory corruption vulnerability in Android Stagefright's handling of MP4 files. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Rule Vulnerability

CVE Additional Information

CVE-2015-3824
The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly restrict size addition, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via a crafted MPEG-4 tx3g atom, aka internal bug 20923261.
Details
SeverityHIGH Base Score10.0
Impact Score10.0 Exploit Score10.0
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access